cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5835
Views
5
Helpful
15
Replies
Beginner

ASA 5510 - Open outbound port for speacific IP

Hello. We have a ASA5510 and I need to open port 22 for a speacific IP in our LAN outbound only. How do I do that? Thanks.                  

Everyone's tags (7)
15 REPLIES 15
Highlighted
Cisco Employee

ASA 5510 - Open outbound port for speacific IP

Hello Asif,

Can you clarify, you want to permit ssh access from or to your LAN?

Highlighted
Beginner

ASA 5510 - Open outbound port for speacific IP

I think to my LAN. But just to a speacific IP. There is a company who needs to a remote into a machine that has a static IP for support purposes and they want port 22 to be open for outbound traffic only just for that IP.

Highlighted
Cisco Employee

ASA 5510 - Open outbound port for speacific IP

Asif,

In this case you need to do the following:

1. ASA version before 8.3

If you alredy have access-list attached to the outside interface you can just put this two statements at the beggining:

access-list extended permit tcp host any eq ssh

access-list extended deny tcp any any eq ssh

2. ASA version after 8.3

If you alredy have access-list attached to the outside interface you can just put this two statements at the beggining:

access-list extended permit tcp host any eq ssh

access-list extended deny tcp any any eq ssh

this will make only one host on the LAN accesible via ssh, all other ssh traffic to your LAN will be denied

Please rate helpful posts

Best Regards,

Eugene

Highlighted
Beginner

ASA 5510 - Open outbound port for speacific IP

My ASA is 8.3(2). So I would use the after 8.3 statements right?

Is the "real ip of the host" the internal static IP?

Highlighted
Cisco Employee

ASA 5510 - Open outbound port for speacific IP

Hi Asif,

Yes, your option is after 8.3, and real ip address - is your internal ip.

Please rate helpful posts

Best Regards,

Eugene

Highlighted
Beginner

ASA 5510 - Open outbound port for speacific IP

OK. Now do I need to have the second statement too. Instead can I include the IP of the company who will be ssh'ing into my internal IP? The reason why I say this is becauce I'm not sure if I want to block all other ssh connections if there are any.

Highlighted
Cisco Employee

ASA 5510 - Open outbound port for speacific IP

If you don't need to block other ssh traffic, then you don't need second statement.

Regarding source ip address, yes you can include it. Access list statement on outside interface in this case will look like:

access-list extended permit tcp host host  eq ssh

Please consider using this variant, in previous post "any" and "host" should be swapped

Please rate helpful posts

Best Regards,

Eugene

Highlighted
Beginner

ASA 5510 - Open outbound port for speacific IP

Great. Thanks for your help. And how do I assign this access-list to the outside interface?

Highlighted
Cisco Employee

ASA 5510 - Open outbound port for speacific IP

You can assign access-list with following command:

access-group in interface

Also access-lists containts explicit "deny any any" at the end.

Please refer to configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_overview.html

Please rate helpful posts

Best Regards,

Eugene

Highlighted
Beginner

ASA 5510 - Open outbound port for speacific IP

At the end? At the end of my statement?

Highlighted
Beginner

ASA 5510 - Open outbound port for speacific IP

Also, instead of having "ssh" at the end of the statement I could just use "22" right?

Highlighted
Cisco Employee

ASA 5510 - Open outbound port for speacific IP

At the end of the access-lists, and yes you can use 22

Best Regards,

Eugene

Highlighted
Beginner

ASA 5510 - Open outbound port for speacific IP

Now I'm confused. My statement will look like this right?

access-list cary-PCMC extended permit tcp host host 192.168.1.100 eq ssh

access-group cary-PCMC in interface outside

Highlighted
Cisco Employee

ASA 5510 - Open outbound port for speacific IP

As I said before, in each access-list there is implicit deny any any statement, if you will have only this configuration, only ssh will work from outside.

Please refer to the link, which I already provided.

Best Regards,

Eugene

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here