Block SSH and allow SFTP

Unanswered Question
Mar 19th, 2009

Hello Guys,

Is there any way to block SSH and allow only SFTP?

Thanks in advance

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
newatcisco Fri, 03/20/2009 - 02:45

How do you block ssh version 1 and allow only ssh version 2 across the ASA?

cisco24x7 Fri, 03/20/2009 - 06:54

That is NOT an acceptable solution. Let say that your SSH server is located in the DMZ network and that you want to make it accessible to both Intranet and Internet users. With Intranet users, you want to give them the option to use either ssh version 1 or version 2; however, for Internet users, they are forced to use ssh version 2 for enhanced security. Most people want to it on the firewall which makes sense.

cisco24x7 Fri, 03/20/2009 - 08:12

I have not used ASA in a while so I could be wrong here but it can not be done on ASA appliance.

Other vendors such as Juniper and Checkpoint, you can define a service "ssh" and "ssh_version_2". That way, the firewall can look at the initial hand-shake of the ssh connection and determine whether it is an ssh version 1 or ssh version 2 connection. If you specify ssh, it will assume both version 1 and version 2. If you specify ssh version_2, it will only accept only version through the firewall.

For intranet users, you use ssh. For Internet users that require enhanced security, only ssh version 2 is allowed.


This Discussion