cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

6091
Views
5
Helpful
15
Replies
ashah
Beginner

ASA 5510 - Open outbound port for speacific IP

Hello. We have a ASA5510 and I need to open port 22 for a speacific IP in our LAN outbound only. How do I do that? Thanks.                  

15 REPLIES 15
Eugene Korneychuk
Cisco Employee

Hello Asif,

Can you clarify, you want to permit ssh access from or to your LAN?

I think to my LAN. But just to a speacific IP. There is a company who needs to a remote into a machine that has a static IP for support purposes and they want port 22 to be open for outbound traffic only just for that IP.

Asif,

In this case you need to do the following:

1. ASA version before 8.3

If you alredy have access-list attached to the outside interface you can just put this two statements at the beggining:

access-list extended permit tcp host any eq ssh

access-list extended deny tcp any any eq ssh

2. ASA version after 8.3

If you alredy have access-list attached to the outside interface you can just put this two statements at the beggining:

access-list extended permit tcp host any eq ssh

access-list extended deny tcp any any eq ssh

this will make only one host on the LAN accesible via ssh, all other ssh traffic to your LAN will be denied

Please rate helpful posts

Best Regards,

Eugene

My ASA is 8.3(2). So I would use the after 8.3 statements right?

Is the "real ip of the host" the internal static IP?

Hi Asif,

Yes, your option is after 8.3, and real ip address - is your internal ip.

Please rate helpful posts

Best Regards,

Eugene

OK. Now do I need to have the second statement too. Instead can I include the IP of the company who will be ssh'ing into my internal IP? The reason why I say this is becauce I'm not sure if I want to block all other ssh connections if there are any.

If you don't need to block other ssh traffic, then you don't need second statement.

Regarding source ip address, yes you can include it. Access list statement on outside interface in this case will look like:

access-list extended permit tcp host host  eq ssh

Please consider using this variant, in previous post "any" and "host" should be swapped

Please rate helpful posts

Best Regards,

Eugene

Great. Thanks for your help. And how do I assign this access-list to the outside interface?

You can assign access-list with following command:

access-group in interface

Also access-lists containts explicit "deny any any" at the end.

Please refer to configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_overview.html

Please rate helpful posts

Best Regards,

Eugene

At the end? At the end of my statement?

Also, instead of having "ssh" at the end of the statement I could just use "22" right?

At the end of the access-lists, and yes you can use 22

Best Regards,

Eugene

Now I'm confused. My statement will look like this right?

access-list cary-PCMC extended permit tcp host host 192.168.1.100 eq ssh

access-group cary-PCMC in interface outside

As I said before, in each access-list there is implicit deny any any statement, if you will have only this configuration, only ssh will work from outside.

Please refer to the link, which I already provided.

Best Regards,

Eugene

Content for Community-Ad