10-19-2007 06:43 AM - edited 03-11-2019 04:27 AM
I have a public IP address P.P.P.P that I do not want anyone from the outside to access except 3 remote users with Static IPs on port 22 open outbound from P.P.P.P to the 3 static IPs.
I have created a Object-group network called Tac with the 3 IPs
object-group network Tac
network-object host X.X.X.X
network-object host X.X.X.X
network-object host X.X.X.X
I am can anyone help me with the next steps?
Thank you
Gabrielle
10-19-2007 06:49 AM
Gabrielle,
Could you rephrase what you are looking to do? I think you want to allow the 3 addresses to your public ip on port 22? I'm confused becuase you said "outbound from". Thanks.
10-19-2007 06:54 AM
Sorry I didn't mean outbound. I only want the 3 addresses to have access from the outside. Thanks
10-19-2007 06:53 AM
access-list outside_access_in permit tcp object-group Tac host P.P.P.P eq 22
access-group outside_access_in in interface outside
This will create an ACL to allow the 3 addresses in your object-group to access the firewall via SSH.
HTH and please rate.
10-19-2007 07:00 AM
Are you sure about that Collin? The acl does not restrict traffic terminating on the outside interface, only traffic traversing interfaces. If she wanted to restrict ssh to the outside of the firewall she would have to do "ssh x.x.x.x. outside". I'm assuming she has a static for the outside interface to some ssh server inside.
10-22-2007 06:45 AM
Let me start over - I have a public IP Address P.P.P.P on a device that I need 3 people around the world to access on port 22.
I have created a Object-group network called Tac with the 3 IPs
object-group network Tac
network-object host X.X.X.X - the public IP of other networks
network-object host X.X.X.X
network-object host X.X.X.X
I am can anyone help me with the next steps?
Thanks
Gabrielle
10-22-2007 06:52 AM
What Collin wrote above is what you need...
access-list outside_access_in permit tcp object-group Tac host P.P.P.P eq 22
access-group outside_access_in in interface outside
Also you need a static translation for P.P.P.P to the inside address of your server. If P.P.P.P = 1.1.1.1 and the inside address of the server is 192.168.1.1 then...
static (inside,outside) 1.1.1.1 192.168.1.1 netmask 255.255.255.255
10-22-2007 10:44 AM
We want to deny all traffic EXCEPT port 22 (ssh) to that Public IP Address. Sorry they keep changing things on me.
Thanks
Gabrielle
10-22-2007 10:48 AM
The commands above will only allow port 22!
10-22-2007 12:30 PM
I added the access-lists
access-list outside_in permit tcp object-group MeTac host Tac-Outside eq htt
ps
access-list outside_in permit tcp object-group Tac host Tac-Outside eq tel
net
access-list outside_in permit tcp object-group Tac host Tac-Outside eq ssh
static (inside,outside) Tac-Outside Tac-Inside netmask 255.255.255.255 0 0
I can still access the P.P.P.P over the internet - Did I need to add a DENY in there?
10-22-2007 12:38 PM
So Tac-Outside = P.P.P.P?
With those acl entries you should only be able to hit Tac-Outside with https, telnet and ssh, that's it.
Also, you access-group command should be
access-group outside_in in interface outside
10-23-2007 03:47 AM
name 10.0.0.X Inside
name P.P.P.P Outside ** Public IP Address
object-group network Tac
network-object host X.X.X.X
network-object host X.X.X.X
network-object host X.X.X.X
access-list outside_in permit tcp object-group Meta_Tac host Meta-Outside eq www
access-list outside_in permit tcp object-group MetTac host Outside eq htt
ps
access-list outside_in permit tcp object-group Tac host Outside eq tel
net
access-list outside_in permit tcp object-group Tac host Outside eq ssh
static (inside,outside) Outside Inside netmask 255.255.255.255 0 0
** The Problem I am having is that everyone can still access the "DEVICE" with any IP and not those that were specified in the above Object-Group.
10-23-2007 05:25 AM
OK,
Lets forget the object-group and get this into its simplest form.
1st we'll create the static translation. This will translate your outside address to your inside address. The 1.1.1.1 is our outside address.
static (inside,outside) tcp 1.1.1.1 22 192.168.1.10 22 netmask 255.255.255.255
Next lets create the access-list that only allows the 3 addresses you want to allow. For the example I'll want to allow 2.2.2.2, 3.3.3.3, and 4.4.4.4. There is an implicit deny at the end so we do not have to enter one.
access-list OUTSIDE_ACCESS_IN permit tcp host 2.2.2.2 host 1.1.1.1 eq 22
access-list OUTSIDE_ACCESS_IN permit tcp host 3.3.3.3 host 1.1.1.1 eq 22
access-list OUTSIDE_ACCESS_IN permit tcp host 4.4.4.4 host 1.1.1.1 eq 22
Finally we need to apply the ACL to an interface and in a direction.
access-group OUTSIDE_ACCESS_IN in interface outside.
That should do it.
10-24-2007 05:23 AM
Ok, I entered exactly what you have but I can still access The device with HTTP. My thought is that the public IP address is actually on the device. Which it needs to be. Any Thoughts?
10-24-2007 05:33 AM
OK. I bet you're using SDM and that application is tied to the outside interface. You need to apply an ACL to HTTP to prevent everyone accessing it. It's used for management so it's handled a little differently.
Try this to restrict HTTP/SDM.
http 10.10.10.115 255.255.255.255 inside
This example will only allow 10.10.10.115 to access SDM from the inside! Make sure you put your IP in first.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: