Access list

Answered Question
Jul 2nd, 2009

We have a sftp server on the dmz. Will the following access list allow outside users to access the sftp server on port 22 from the outside?

access-list outside-acl extended permit tcp any host qq.ww.ee.rr

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 5 months ago

Sam

If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is

1) remove the line 11

2) add in the line for the specific port of 22

both of the above covered in the previous post

3) leave the line in that allows https

Jon

Correct Answer by Jon Marshall about 7 years 5 months ago

Sam

It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.

To answer your question

no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr

access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
branfarm1 Thu, 07/02/2009 - 12:39

That looks like it should work. You only need two more things (which you probably already have): apply the ACL to the outside interface in the inbound direction, and make sure the IP you use in the ACL is the outside NAT of your sftp server.

Good luck!

Jon Marshall Thu, 07/02/2009 - 12:40

Sam

Use the IP address rather than the host name and include the port number ie.

access-list outside-acl extended permit tcp any host x.x.x.x eq 22

Jon

saidfrh18 Thu, 07/02/2009 - 12:45

Thanks Jon, Aha, the access-list must include eq 22. Folks from outside are not able to access the server. I will try it.

saidfrh18 Thu, 07/02/2009 - 13:23

Jon,

The access list reads...Line 10...

access-list outside-acl line 11 extended permit tcp any host qq.ww.ee.rr

...line 16.

What is the procedure to insert the following on an ASA?

access-list outside-acl extended permit tcp any host qq.ww.ee.rr eq 22

Thanks.

Correct Answer
Jon Marshall Thu, 07/02/2009 - 13:31

Sam

It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.

To answer your question

no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr

access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh

Jon

saidfrh18 Thu, 07/02/2009 - 16:10

The server is on dmz. the server has a private ip and is being natted to public ip address qq.ww.ee.rr .

So, I should remove old statement and insert new statement. Will changing above config effect production? Must it be done after hours?

Jon Marshall Fri, 07/03/2009 - 04:56

Sam

If the old statement is not being used by anything else and it shouldn't be as it references only the sftp server then you can remove the old statement and put the new one in during production hours. I've done this many times.

But, if you are not that confident then i would always recommend doing it out of key production hours. Better to be safe than sorry :-)

Jon

saidfrh18 Fri, 07/03/2009 - 08:03

Jon,

We have "access-list outside-acl line 16 extended permit tcp any host qq.ww.ee.rr eq https". Should we still insert "no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr ? What difference does it make if we had all three statements?

Correct Answer
Jon Marshall Fri, 07/03/2009 - 08:11

Sam

If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is

1) remove the line 11

2) add in the line for the specific port of 22

both of the above covered in the previous post

3) leave the line in that allows https

Jon

saidfrh18 Wed, 07/08/2009 - 12:45

Jon,

The following changes in the ASA config still will not allow FTP client to ssh to the SFTP server. Do you have any suggestions? FYI, One client software reverts to port 990, another client software automaticaly reverts to port 21. Any advise would be appreciative. Would TCP port(s) 22 need to be explicitly opened on the perimeter router?

Thanks.

Said

robertson.michael Thu, 07/02/2009 - 12:43

Edit: Looks like this already been said. Please disregard.

-Mike

Sam,

While the access-list statement you posted would probably work (you could tighten it down even further by adding 'eq 22' to the end of the line), we would need to see more of your configuration before we can confirm with certainty. At a minimum, you also need to check:

-You have correctly configured NAT

-There are no conflicting statements in the "outside-acl" access list

-The "outside-acl" access list is applied to the outside interface in the inbound direction

Feel free to post a bit more of your sanitized config and we will be able to give you a more definitive answer.

Hope that helps.

-Mike

Actions

This Discussion