Cisco Community
English
Register
The War in Ukraine - Supporting customers, partners and communities. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1289
Views
0
Helpful
4
Replies
Richard Miller
Beginner
Beginner
‎02-05-2014 08:44 PM
‎02-05-2014 08:44 PM

Cannot Block Port 22 on ASA 5510

I have an ASA 5510 and port 22 is open. I thought by default that it should be blocked but when I check to see if the port is open by a website (e.g.,

http://www.yougetsignal.com/tools/open-ports) it shows that it is open. I opened Ports 80, 443, and 25. I added an access list by CLI and ASDM but it still shows that port 22 is open. Here is the script #access-list 100 extended deny tcp any any eq 22 and I done the same using ASDM but substituted ssh for the port number. Does anyone know why this port is open? I saw some activity on my firewall that someone (with an IP address based in China) was trying to access my network via port 22. I think they were running a port scanner. But I have no need to have port 22 open.

Any help would be appreciated

Thank you

Labels:
0 Helpful
4 REPLIES 4
vishaw jasrotia
Beginner
Beginner
‎02-05-2014 10:34 PM
‎02-05-2014 10:34 PM

Hello,

Need to check whether you have applied the access-list in proper direction.

E.g if you want to stop the access from outside interface then

access-group 100 in interface outside

Thanks

0 Helpful
Jouni Forss
Mentor
Mentor
‎02-05-2014 11:17 PM
‎02-05-2014 11:17 PM

Hi,

The ACLs will generally just block traffic through the ASA, not to the ASA.

In the newer softwares you have the option to build an ACL to block traffic destined to an actual ASA interface IP address

access-group in interface control-plane

This ACL should naturally be something used only for this purpose and not use an existing ACL.

Though regarding your SSH problem you might have enabled SSH management from behind "outside" with "any" source address

ssh 0.0.0.0 0.0.0.0 outside

You can check this with the command

show run ssh

The earlier command I mentioned overrides even the ACL setting that is used to limit connectivity to the ASA itself. So you might want to check how you SSH management setting is configured. This might be causing the results you are seeing.

- Jouni

0 Helpful
Richard Miller
Beginner
Beginner
In response to Jouni Forss
‎02-06-2014 07:33 AM
‎02-06-2014 07:33 AM

Thank you Jouni, it was the ssh management that was keeping the port open. I deleted the outside interface and the port is blocked. I appreciate you help so quickly.

Thanks again

0 Helpful
Jouni Forss
Mentor
Mentor
In response to Richard Miller
‎02-06-2014 07:45 AM
‎02-06-2014 07:45 AM

Hi,

Good to hear

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

0 Helpful
Latest Contents
Network Security All-in-one ASA FTD WSA Umbrella ISE VPN Lay...
Created by Meddane on 05-17-2022 06:18 AM
2
0
2
0
Multiple Cisco Security Technologies in a single book : ASA Firepower, WSA, Umbrella, ISE and VPN with 100 percent 100 practical scenarios with 70 Labs to cover important topics of the Cisco SCOR Exam. The best part is ISE with interesting scenarios wi... view more
Understanding IP Layer Enforcement on Cisco Umbrella
Created by Meddane on 05-17-2022 03:10 AM
0
5
0
5
Cisco Umbrella is a big DNS service that provides not only the DNS resolution but also if the hosted website is trust or malicious, the idea behind the Layer DNS Security is that the modern attacks uses the DNS in the first step either to redirect the use... view more
Cisco ISE Integration With F5 BIG-IP LTM Load Balancer for G...
Created by Meddane on 05-15-2022 02:24 AM
0
0
0
0
I shared with you this detailed document I created with 27 pages about Cisco ISE Integration With F5 BIG-IP Locar Traffic Manager LTM Load Balancer for Guest Acces.   The method used for Guest Access is the Self-Registration. Healt Monitor using HTTP... view more
Cisco ASA 9.714 version SNMP not working in EVE-NG LAB Envir...
Created by waqas.muhammad49 on 05-10-2022 06:56 AM
0
0
0
0
I created an IPSEC Site to site Tunnel between two ASA Firewalls in EVE-NG topology and i want to plot the IPSEC Site to Site VPN graph on PRTG ? The SNMP Walk command is not getting any output . As the firewall is making SNMP inbound connections with the... view more
ISE Integration with Eduroam External Server
Created by deepuvarghese1 on 05-09-2022 08:31 PM
3
20
3
20
The purpose of this document is to demonstrate how ISE can integrate with an eduroam external server which is a WI-Fi roaming service that provides international access to devices in education, research, and higher education. Students, teachers, and resea... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad