Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
0
Helpful
2
Replies

Public servers, protocol and port restriction on outside interface

Go to solution
miles0001
Level 1
Level 1

‎07-19-2013 04:36 AM - edited ‎03-11-2019 07:14 PM

Hi folks,

While setting up access to some internal servers that should be accessible from the outside, I noticed that I wasn't able to connect via port translated SSH, unless I allowed TCP and UDP on the outside interface, see rules below. The FakeSSH is SSH access, but with a custom port, that translates to standard SSH for the real server. The UDP is untranslated for a monitoring app.

I feel a bit queasy allowing ports that are not needed on the outside, though there are no corresponding NAT rules that can be usede for attacks. How can I restrict ports and protocols only to a bare minimum?

Best regards,

Peter

object network Server_Mail

host 192.168.0.212

object network Servicehelper

host 192.168.0.213

object network FakeSSH

host 192.168.0.213

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit object SMTP_Service any object Server_Mail

access-list outside_access_in extended permit object-group TCPUDP any object Servicehelper

!

object network Server_Mail

nat (inside,outside) static interface service tcp smtp smtp

object network Servicehelper

nat (inside,outside) static interface service udp 38885 38885

object network FakeSSH

nat (inside,outside) static interface service tcp ssh 27210

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-19-2013 04:43 AM

Hi,

Did you first try allowing traffic to the port TCP/22?

Notice that with the 8.3+ introduced changes to NAT and ACL mean that you will be allowing traffic to the Real IP Address and Real Port.

This is because when the packet from the Internet arrives to the ASA "outside" interface the ASA will first UN-NAT the destination IP address and its port. So after that is done the actual ACL check will be done. And that means the destination IP/port has changed to 192.168.0.213 TCP/22

So your ACL for the SSH connection should be

access-list outside_access_in extended permit tcp any object FakeSSH eq 22

Let me know if that does it. Remove the TCP/UDP permitting rule before you try it out.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-19-2013 04:43 AM

Hi,

Did you first try allowing traffic to the port TCP/22?

Notice that with the 8.3+ introduced changes to NAT and ACL mean that you will be allowing traffic to the Real IP Address and Real Port.

This is because when the packet from the Internet arrives to the ASA "outside" interface the ASA will first UN-NAT the destination IP address and its port. So after that is done the actual ACL check will be done. And that means the destination IP/port has changed to 192.168.0.213 TCP/22

So your ACL for the SSH connection should be

access-list outside_access_in extended permit tcp any object FakeSSH eq 22

Let me know if that does it. Remove the TCP/UDP permitting rule before you try it out.

- Jouni

0 Helpful

Go to solution
miles0001
Level 1
Level 1
In response to Jouni Forss

‎07-19-2013 05:05 AM

Thanks again Jouni! Worked perfectly!

I'm from the Linux world, used to IP-tables and that stuff, so the workings of the Cisco ASA appliances is a bit awkward to me.

Wish you a nice weekend :-)

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card