Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
4
Replies

ACL on ASA is not working

Go to solution
your.ideas
Level 1
Level 1

‎12-18-2014 11:58 PM - edited ‎03-07-2019 09:57 PM

Hello everyone,

Easy question, but not for me :)

I am trying to modify an ACL on outside interface that allows THE ONLY PUBLIC IP to connect to the server 62.xxx.xxx.57 using SSH - see screenshot.

The existing rule permits any host from outside to do so. What I have done is changed ANY to 197.14.12.22 however it did not stopped ANY host from accessing the server via ssh. Please advise what I am doing wrong?

Labels:
Preview file
216 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-19-2014 01:31 AM

  1. You only show that you changed this line, but are there more lines after that? One of them could allow ssh from "any".
  2. If an ssh-session is already established, then this session won't be killed just because you change the ACL. An ongoing session has to be cleared manually. The next session uses the changed ACL to decide if the session should be allowed or not.
  3. You don't need ip, icmp and tcp as the services. "ip" includes all ip-protocols. tcp and icmp are automatically allowed if you allow "ip".

View solution in original post

0 Helpful

Go to solution
dmooregfb
Level 5
Level 5

‎12-19-2014 04:12 AM

If I understand what you are wanting to do, only allow the 197.x.x.x address to access the server via SSH, change the service from ip to tcp/ssh. 

Clear conn and test again.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎12-19-2014 01:31 AM

  1. You only show that you changed this line, but are there more lines after that? One of them could allow ssh from "any".
  2. If an ssh-session is already established, then this session won't be killed just because you change the ACL. An ongoing session has to be cleared manually. The next session uses the changed ACL to decide if the session should be allowed or not.
  3. You don't need ip, icmp and tcp as the services. "ip" includes all ip-protocols. tcp and icmp are automatically allowed if you allow "ip".
0 Helpful

Go to solution
your.ideas
Level 1
Level 1
In response to Karsten Iwen

‎12-19-2014 04:38 AM

Thanks a lot Karsten,

There really was any-any ip allow rule below. 2& especially 3 from you are very precisious advices for newbie like me.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to your.ideas

‎12-19-2014 04:44 AM

And remember that if you allow "ip" to a host, you are probably doing something in a sub-optimal way (or just wrong). Especially from the outside, only the ports that are really needed should be allowed.

0 Helpful

Go to solution
dmooregfb
Level 5
Level 5

‎12-19-2014 04:12 AM

If I understand what you are wanting to do, only allow the 197.x.x.x address to access the server via SSH, change the service from ip to tcp/ssh. 

Clear conn and test again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card