https://community.cisco.com/t5/network-security/access-list/m-p/1274987#M858951 <HTML><HEAD></HEAD><BODY><P>Sam</P><P></P><P>If the old statement is not being used by anything else and it shouldn't be as it references only the sftp server then you can remove the old statement and put the new one in during production hours. I've done this many times.</P><P></P><P>But, if you are not that confident then i would always recommend doing it out of key production hours. Better to be safe than sorry <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Jon</P></BODY></HTML> Fri, 03 Jul 2009 11:56:20 GMT Jon Marshall 2009-07-03T11:56:20Z https://community.cisco.com/t5/network-security/access-list/m-p/1274979#M858929 <P>We have a sftp server on the dmz. Will the following access list allow outside users to access the sftp server on port 22 from the outside?</P><P>access-list outside-acl extended permit tcp any host qq.ww.ee.rr</P> Mon, 11 Mar 2019 15:50:26 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274979#M858929 saidfrh18 2019-03-11T15:50:26Z https://community.cisco.com/t5/network-security/access-list/m-p/1274980#M858930 <HTML><HEAD></HEAD><BODY><P>That looks like it should work. You only need two more things (which you probably already have): apply the ACL to the outside interface in the inbound direction, and make sure the IP you use in the ACL is the outside NAT of your sftp server.</P><P></P><P>Good luck!</P></BODY></HTML> Thu, 02 Jul 2009 19:39:24 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274980#M858930 branfarm1 2009-07-02T19:39:24Z https://community.cisco.com/t5/network-security/access-list/m-p/1274981#M858934 <HTML><HEAD></HEAD><BODY><P>Sam</P><P></P><P>Use the IP address rather than the host name and include the port number ie.</P><P></P><P>access-list outside-acl extended permit tcp any host x.x.x.x eq 22</P><P></P><P>Jon</P></BODY></HTML> Thu, 02 Jul 2009 19:40:13 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274981#M858934 Jon Marshall 2009-07-02T19:40:13Z https://community.cisco.com/t5/network-security/access-list/m-p/1274982#M858937 <HTML><HEAD></HEAD><BODY><P>Edit: Looks like this already been said. Please disregard.</P><P></P><P>-Mike</P><P></P><P></P><P></P><P>Sam,</P><P></P><P>While the access-list statement you posted would probably work (you could tighten it down even further by adding 'eq 22' to the end of the line), we would need to see more of your configuration before we can confirm with certainty. At a minimum, you also need to check:</P><P></P><P>-You have correctly configured NAT</P><P>-There are no conflicting statements in the "outside-acl" access list</P><P>-The "outside-acl" access list is applied to the outside interface in the inbound direction</P><P></P><P>Feel free to post a bit more of your sanitized config and we will be able to give you a more definitive answer.</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Thu, 02 Jul 2009 19:43:26 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274982#M858937 robertson.michael 2009-07-02T19:43:26Z https://community.cisco.com/t5/network-security/access-list/m-p/1274983#M858939 <HTML><HEAD></HEAD><BODY><P>Thanks Jon, Aha, the access-list must include eq 22. Folks from outside are not able to access the server. I will try it.</P><P></P></BODY></HTML> Thu, 02 Jul 2009 19:45:24 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274983#M858939 saidfrh18 2009-07-02T19:45:24Z https://community.cisco.com/t5/network-security/access-list/m-p/1274984#M858942 <HTML><HEAD></HEAD><BODY><P>Jon,</P><P>The access list reads...Line 10...</P><P>access-list outside-acl line 11 extended permit tcp any host qq.ww.ee.rr</P><P>...line 16.</P><P></P><P>What is the procedure to insert the following on an ASA? </P><P>access-list outside-acl extended permit tcp any host qq.ww.ee.rr eq 22</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 02 Jul 2009 20:23:11 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274984#M858942 saidfrh18 2009-07-02T20:23:11Z https://community.cisco.com/t5/network-security/access-list/m-p/1274985#M858944 <HTML><HEAD></HEAD><BODY><P>Sam</P><P></P><P>It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.</P><P></P><P>To answer your question</P><P></P><P>no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr</P><P></P><P>access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh</P><P></P><P>Jon</P></BODY></HTML> Thu, 02 Jul 2009 20:31:40 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274985#M858944 Jon Marshall 2009-07-02T20:31:40Z https://community.cisco.com/t5/network-security/access-list/m-p/1274986#M858948 <HTML><HEAD></HEAD><BODY><P>The server is on dmz. the server has a private ip and is being natted to public ip address qq.ww.ee.rr .</P><P></P><P>So, I should remove old statement and insert new statement. Will changing above config effect production? Must it be done after hours?</P></BODY></HTML> Thu, 02 Jul 2009 23:10:32 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274986#M858948 saidfrh18 2009-07-02T23:10:32Z https://community.cisco.com/t5/network-security/access-list/m-p/1274987#M858951 <HTML><HEAD></HEAD><BODY><P>Sam</P><P></P><P>If the old statement is not being used by anything else and it shouldn't be as it references only the sftp server then you can remove the old statement and put the new one in during production hours. I've done this many times.</P><P></P><P>But, if you are not that confident then i would always recommend doing it out of key production hours. Better to be safe than sorry <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Jon</P></BODY></HTML> Fri, 03 Jul 2009 11:56:20 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274987#M858951 Jon Marshall 2009-07-03T11:56:20Z https://community.cisco.com/t5/network-security/access-list/m-p/1274988#M858953 <HTML><HEAD></HEAD><BODY><P>Jon,</P><P>We have "access-list outside-acl line 16 extended permit tcp any host qq.ww.ee.rr eq https". Should we still insert "no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr ? What difference does it make if we had all three statements?</P><P></P><P></P><P></P></BODY></HTML> Fri, 03 Jul 2009 15:03:44 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274988#M858953 saidfrh18 2009-07-03T15:03:44Z https://community.cisco.com/t5/network-security/access-list/m-p/1274989#M858954 <HTML><HEAD></HEAD><BODY><P>Sam</P><P></P><P>If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is </P><P></P><P>1) remove the line 11 </P><P>2) add in the line for the specific port of 22</P><P></P><P>both of the above covered in the previous post</P><P></P><P>3) leave the line in that allows https</P><P></P><P>Jon</P></BODY></HTML> Fri, 03 Jul 2009 15:11:25 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274989#M858954 Jon Marshall 2009-07-03T15:11:25Z https://community.cisco.com/t5/network-security/access-list/m-p/1274990#M858955 <HTML><HEAD></HEAD><BODY><P>Jon,</P><P></P><P>The following changes in the ASA config still will not allow FTP client to ssh to the SFTP server. Do you have any suggestions? FYI, One client software reverts to port 990, another client software automaticaly reverts to port 21. Any advise would be appreciative. Would TCP port(s) 22 need to be explicitly opened on the perimeter router?</P><P>Thanks.</P><P>Said </P></BODY></HTML> Wed, 08 Jul 2009 19:45:04 GMT https://community.cisco.com/t5/network-security/access-list/m-p/1274990#M858955 saidfrh18 2009-07-08T19:45:04Z