Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6094
Views
5
Helpful
15
Replies
ashah
Beginner
Beginner
‎12-07-2012 08:47 AM
‎12-07-2012 08:47 AM

ASA 5510 - Open outbound port for speacific IP

Hello. We have a ASA5510 and I need to open port 22 for a speacific IP in our LAN outbound only. How do I do that? Thanks.                  

Labels:
0 Helpful
15 REPLIES 15
Eugene Korneychuk
Cisco Employee
Cisco Employee
‎12-07-2012 09:05 AM
‎12-07-2012 09:05 AM

Hello Asif,

Can you clarify, you want to permit ssh access from or to your LAN?

0 Helpful
ashah
Beginner
Beginner
In response to Eugene Korneychuk
‎12-07-2012 09:10 AM
‎12-07-2012 09:10 AM

I think to my LAN. But just to a speacific IP. There is a company who needs to a remote into a machine that has a static IP for support purposes and they want port 22 to be open for outbound traffic only just for that IP.

0 Helpful
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to ashah
‎12-07-2012 09:16 AM
‎12-07-2012 09:16 AM

Asif,

In this case you need to do the following:

1. ASA version before 8.3

If you alredy have access-list attached to the outside interface you can just put this two statements at the beggining:

access-list extended permit tcp host any eq ssh

access-list extended deny tcp any any eq ssh

2. ASA version after 8.3

If you alredy have access-list attached to the outside interface you can just put this two statements at the beggining:

access-list extended permit tcp host any eq ssh

access-list extended deny tcp any any eq ssh

this will make only one host on the LAN accesible via ssh, all other ssh traffic to your LAN will be denied

Please rate helpful posts

Best Regards,

Eugene

ashah
Beginner
Beginner
In response to Eugene Korneychuk
‎12-07-2012 10:40 AM
‎12-07-2012 10:40 AM

My ASA is 8.3(2). So I would use the after 8.3 statements right?

Is the "real ip of the host" the internal static IP?

0 Helpful
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to ashah
‎12-07-2012 10:43 AM
‎12-07-2012 10:43 AM

Hi Asif,

Yes, your option is after 8.3, and real ip address - is your internal ip.

Please rate helpful posts

Best Regards,

Eugene

0 Helpful
ashah
Beginner
Beginner
In response to Eugene Korneychuk
‎12-07-2012 11:10 AM
‎12-07-2012 11:10 AM

OK. Now do I need to have the second statement too. Instead can I include the IP of the company who will be ssh'ing into my internal IP? The reason why I say this is becauce I'm not sure if I want to block all other ssh connections if there are any.

0 Helpful
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to ashah
‎12-07-2012 11:22 AM
‎12-07-2012 11:22 AM

If you don't need to block other ssh traffic, then you don't need second statement.

Regarding source ip address, yes you can include it. Access list statement on outside interface in this case will look like:

access-list extended permit tcp host host  eq ssh

Please consider using this variant, in previous post "any" and "host" should be swapped

Please rate helpful posts

Best Regards,

Eugene

0 Helpful
ashah
Beginner
Beginner
In response to Eugene Korneychuk
‎12-07-2012 11:35 AM
‎12-07-2012 11:35 AM

Great. Thanks for your help. And how do I assign this access-list to the outside interface?

0 Helpful
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to ashah
‎12-07-2012 11:39 AM
‎12-07-2012 11:39 AM

You can assign access-list with following command:

access-group in interface

Also access-lists containts explicit "deny any any" at the end.

Please refer to configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_overview.html

Please rate helpful posts

Best Regards,

Eugene

0 Helpful
ashah
Beginner
Beginner
In response to Eugene Korneychuk
‎12-07-2012 11:44 AM
‎12-07-2012 11:44 AM

At the end? At the end of my statement?

0 Helpful
ashah
Beginner
Beginner
In response to ashah
‎12-07-2012 11:50 AM
‎12-07-2012 11:50 AM

Also, instead of having "ssh" at the end of the statement I could just use "22" right?

0 Helpful
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to ashah
‎12-07-2012 12:21 PM
‎12-07-2012 12:21 PM

At the end of the access-lists, and yes you can use 22

Best Regards,

Eugene

0 Helpful
ashah
Beginner
Beginner
In response to Eugene Korneychuk
‎12-07-2012 12:26 PM
‎12-07-2012 12:26 PM

Now I'm confused. My statement will look like this right?

access-list cary-PCMC extended permit tcp host host 192.168.1.100 eq ssh

access-group cary-PCMC in interface outside

0 Helpful
Eugene Korneychuk
Cisco Employee
Cisco Employee
In response to ashah
‎12-07-2012 12:45 PM
‎12-07-2012 12:45 PM

As I said before, in each access-list there is implicit deny any any statement, if you will have only this configuration, only ssh will work from outside.

Please refer to the link, which I already provided.

Best Regards,

Eugene

0 Helpful
Latest Contents
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
1
5
1
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
FMT 2.3.4 adding ASA migrations of S2S VPN in public beta
Created by William_Hansch on 03-22-2021 08:00 AM
1
10
1
10
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA: Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center VP... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 03-22-2021 04:40 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
ISE Data limiting best practices
Created by Jonathan Casillas on 03-18-2021 04:34 PM
0
5
0
5
Intro This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE. Symptoms Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm... view more
Content for Community-Ad