cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1289
Views
0
Helpful
4
Replies
Richard Miller
Beginner

Cannot Block Port 22 on ASA 5510

I have an ASA 5510 and port 22 is open. I thought by default that it should be blocked but when I check to see if the port is open by a website (e.g.,

http://www.yougetsignal.com/tools/open-ports) it shows that it is open. I opened Ports 80, 443, and 25. I added an access list by CLI and ASDM but it still shows that port 22 is open. Here is the script #access-list 100 extended deny tcp any any eq 22 and I done the same using ASDM but substituted ssh for the port number. Does anyone know why this port is open? I saw some activity on my firewall that someone (with an IP address based in China) was trying to access my network via port 22. I think they were running a port scanner. But I have no need to have port 22 open.

Any help would be appreciated

Thank you

4 REPLIES 4
vishaw jasrotia
Beginner

Hello,

Need to check whether you have applied the access-list in proper direction.

E.g if you want to stop the access from outside interface then

access-group 100 in interface outside

Thanks

Jouni Forss
Mentor

Hi,

The ACLs will generally just block traffic through the ASA, not to the ASA.

In the newer softwares you have the option to build an ACL to block traffic destined to an actual ASA interface IP address

access-group in interface control-plane

This ACL should naturally be something used only for this purpose and not use an existing ACL.

Though regarding your SSH problem you might have enabled SSH management from behind "outside" with "any" source address

ssh 0.0.0.0 0.0.0.0 outside

You can check this with the command

show run ssh

The earlier command I mentioned overrides even the ACL setting that is used to limit connectivity to the ASA itself. So you might want to check how you SSH management setting is configured. This might be causing the results you are seeing.

- Jouni

Thank you Jouni, it was the ssh management that was keeping the port open. I deleted the outside interface and the port is blocked. I appreciate you help so quickly.

Thanks again

Hi,

Good to hear

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Create
Recognize Your Peers
Content for Community-Ad