https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151731#M874798 <HTML><HEAD></HEAD><BODY><P>That is NOT an acceptable solution. Let say that your SSH server is located in the DMZ network and that you want to make it accessible to both Intranet and Internet users. With Intranet users, you want to give them the option to use either ssh version 1 or version 2; however, for Internet users, they are forced to use ssh version 2 for enhanced security. Most people want to it on the firewall which makes sense.</P></BODY></HTML> Fri, 20 Mar 2009 13:54:07 GMT cisco24x7 2009-03-20T13:54:07Z https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151727#M874791 <P>Hello Guys,</P><P></P><P>Is there any way to block SSH and allow only SFTP?</P><P>Thanks in advance</P> Mon, 11 Mar 2019 15:07:40 GMT https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151727#M874791 harish.ab 2019-03-11T15:07:40Z https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151728#M874794 <HTML><HEAD></HEAD><BODY><P>No - SSH and SFTP use the same default TCP port of 22.</P><P></P><P>Now what you can do is change the server to use a different SFTP port instead of TCP/22 - to something else.</P><P></P><P>HTH&gt;</P><P></P></BODY></HTML> Fri, 20 Mar 2009 08:53:36 GMT https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151728#M874794 andrew.prince 2009-03-20T08:53:36Z https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151729#M874795 <HTML><HEAD></HEAD><BODY><P>How do you block ssh version 1 and allow only ssh version 2 across the ASA?</P></BODY></HTML> Fri, 20 Mar 2009 09:45:17 GMT https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151729#M874795 newatcisco 2009-03-20T09:45:17Z https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151730#M874797 <HTML><HEAD></HEAD><BODY><P>AFAIK - the ASA will not inspect the version of SSH as it passes thru it. If you only want to allow version 2 of SSH - then configure the server to only accept version 2</P></BODY></HTML> Fri, 20 Mar 2009 10:22:27 GMT https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151730#M874797 andrew.prince 2009-03-20T10:22:27Z https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151731#M874798 <HTML><HEAD></HEAD><BODY><P>That is NOT an acceptable solution. Let say that your SSH server is located in the DMZ network and that you want to make it accessible to both Intranet and Internet users. With Intranet users, you want to give them the option to use either ssh version 1 or version 2; however, for Internet users, they are forced to use ssh version 2 for enhanced security. Most people want to it on the firewall which makes sense.</P></BODY></HTML> Fri, 20 Mar 2009 13:54:07 GMT https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151731#M874798 cisco24x7 2009-03-20T13:54:07Z https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151732#M874799 <HTML><HEAD></HEAD><BODY><P>So how do you configure the firewall to filter on the version then, as the version is session based information?</P></BODY></HTML> Fri, 20 Mar 2009 14:14:46 GMT https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151732#M874799 andrew.prince 2009-03-20T14:14:46Z https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151733#M874800 <HTML><HEAD></HEAD><BODY><P>I have not used ASA in a while so I could be wrong here but it can not be done on ASA appliance. </P><P></P><P>Other vendors such as Juniper and Checkpoint, you can define a service "ssh" and "ssh_version_2". That way, the firewall can look at the initial hand-shake of the ssh connection and determine whether it is an ssh version 1 or ssh version 2 connection. If you specify ssh, it will assume both version 1 and version 2. If you specify ssh version_2, it will only accept only version through the firewall.</P><P></P><P>For intranet users, you use ssh. For Internet users that require enhanced security, only ssh version 2 is allowed.</P></BODY></HTML> Fri, 20 Mar 2009 15:12:37 GMT https://community.cisco.com/t5/network-security/block-ssh-and-allow-sftp/m-p/1151733#M874800 cisco24x7 2009-03-20T15:12:37Z