Solved: Can SSH to ASA Outside Interface with Deny ACL on

GRANT3779 · ‎02-27-2015

Hi All,

I am able to SSH to my ASA Outside Interface and I'm not permitting this via ACL.

See below

access-list OUTBOUND_IN extended permit tcp any object TS object-group TS_PORTS
access-list OUTBOUND_IN extended permit tcp any object TS_1000 object-group TS_PORTS

access-list OUTBOUND_IN extended deny ip any4 any4

(The lines above are just permitting tcp ports to 3389 on a server I have)

access-group OUTBOUND_IN in interface outside

I can however SSH to the Outside Interface

I have the following also -

ssh x.x.x.x 255.255.255.0 outside

Where x.x.x.x is our company public range and where I am coming from. Does the SSH command override any ACL? Why is it I can SSH to Outside interface?

I'm sure it's logical just not sure on the logic..

Thanks

Jon Marshall · ‎02-27-2015

Your acls control traffic going through the ASA but not to the ASA itself.

So yes you should be able to connect to the ASA from the allowed IPs even though you haven't allowed that in your acl.

Jon

View solution in original post

Jon Marshall · ‎02-27-2015

Your acls control traffic going through the ASA but not to the ASA itself.

So yes you should be able to connect to the ASA from the allowed IPs even though you haven't allowed that in your acl.

Jon

GRANT3779 · ‎02-27-2015

Interesting! So the SSH x.x.x.x y.y.y.y Outside/Inside command alone is what controls the SSH access to the ASA itself?

Jon Marshall · ‎02-27-2015

Yes it is.

Edit - just for your info this is not the same with IOS routers and L3 interfaces on switches. On those devices an acl applied inbound to an interface controls not just what traffic is allowed through the device but also what traffic is allowed to that interface.

Jon

GRANT3779 · ‎02-27-2015

Jon, thanks again.

Always helpful to learn these little things!