ASA 5510 - Open outbound port for speacific IP

ashah · ‎12-07-2012

Hello. We have a ASA5510 and I need to open port 22 for a speacific IP in our LAN outbound only. How do I do that? Thanks.

Eugene Korneychuk · ‎12-07-2012

Hello Asif,

Can you clarify, you want to permit ssh access from or to your LAN?

ashah · ‎12-07-2012

I think to my LAN. But just to a speacific IP. There is a company who needs to a remote into a machine that has a static IP for support purposes and they want port 22 to be open for outbound traffic only just for that IP.

Eugene Korneychuk · ‎12-07-2012

Asif,

In this case you need to do the following:

1. ASA version before 8.3

If you alredy have access-list attached to the outside interface you can just put this two statements at the beggining:

access-list extended permit tcp host any eq ssh

access-list extended deny tcp any any eq ssh

2. ASA version after 8.3

If you alredy have access-list attached to the outside interface you can just put this two statements at the beggining:

access-list extended permit tcp host any eq ssh

access-list extended deny tcp any any eq ssh

this will make only one host on the LAN accesible via ssh, all other ssh traffic to your LAN will be denied

Please rate helpful posts

Best Regards,

Eugene

ashah · ‎12-07-2012

My ASA is 8.3(2). So I would use the after 8.3 statements right?

Is the "real ip of the host" the internal static IP?

Eugene Korneychuk · ‎12-07-2012

Hi Asif,

Yes, your option is after 8.3, and real ip address - is your internal ip.

Please rate helpful posts

Best Regards,

Eugene

ashah · ‎12-07-2012

OK. Now do I need to have the second statement too. Instead can I include the IP of the company who will be ssh'ing into my internal IP? The reason why I say this is becauce I'm not sure if I want to block all other ssh connections if there are any.

Eugene Korneychuk · ‎12-07-2012

If you don't need to block other ssh traffic, then you don't need second statement.

Regarding source ip address, yes you can include it. Access list statement on outside interface in this case will look like:

access-list extended permit tcp host host eq ssh

Please consider using this variant, in previous post "any" and "host" should be swapped

Please rate helpful posts

Best Regards,

Eugene

ashah · ‎12-07-2012

Great. Thanks for your help. And how do I assign this access-list to the outside interface?

Eugene Korneychuk · ‎12-07-2012

You can assign access-list with following command:

access-group in interface

Also access-lists containts explicit "deny any any" at the end.

Please refer to configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/acl_overview.html

Please rate helpful posts

Best Regards,

Eugene

ashah · ‎12-07-2012

At the end? At the end of my statement?

ashah · ‎12-07-2012

Also, instead of having "ssh" at the end of the statement I could just use "22" right?

Eugene Korneychuk · ‎12-07-2012

At the end of the access-lists, and yes you can use 22

Best Regards,

Eugene

ashah · ‎12-07-2012

Now I'm confused. My statement will look like this right?

access-list cary-PCMC extended permit tcp host host 192.168.1.100 eq ssh

access-group cary-PCMC in interface outside

Eugene Korneychuk · ‎12-07-2012

As I said before, in each access-list there is implicit deny any any statement, if you will have only this configuration, only ssh will work from outside.

Please refer to the link, which I already provided.

Best Regards,

Eugene