Access list

Answered Question
Jul 2nd, 2009
User Badges:

We have a sftp server on the dmz. Will the following access list allow outside users to access the sftp server on port 22 from the outside?

access-list outside-acl extended permit tcp any host qq.ww.ee.rr

Correct Answer by Jon Marshall about 7 years 8 months ago

Sam


If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is


1) remove the line 11

2) add in the line for the specific port of 22


both of the above covered in the previous post


3) leave the line in that allows https


Jon

Correct Answer by Jon Marshall about 7 years 8 months ago

Sam


It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.


To answer your question


no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr


access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
branfarm1 Thu, 07/02/2009 - 12:39
User Badges:
  • Bronze, 100 points or more

That looks like it should work. You only need two more things (which you probably already have): apply the ACL to the outside interface in the inbound direction, and make sure the IP you use in the ACL is the outside NAT of your sftp server.


Good luck!

Jon Marshall Thu, 07/02/2009 - 12:40
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sam


Use the IP address rather than the host name and include the port number ie.


access-list outside-acl extended permit tcp any host x.x.x.x eq 22


Jon

saidfrh18 Thu, 07/02/2009 - 12:45
User Badges:

Thanks Jon, Aha, the access-list must include eq 22. Folks from outside are not able to access the server. I will try it.


saidfrh18 Thu, 07/02/2009 - 13:23
User Badges:

Jon,

The access list reads...Line 10...

access-list outside-acl line 11 extended permit tcp any host qq.ww.ee.rr

...line 16.


What is the procedure to insert the following on an ASA?

access-list outside-acl extended permit tcp any host qq.ww.ee.rr eq 22


Thanks.

Correct Answer
Jon Marshall Thu, 07/02/2009 - 13:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sam


It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.


To answer your question


no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr


access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh


Jon

saidfrh18 Thu, 07/02/2009 - 16:10
User Badges:

The server is on dmz. the server has a private ip and is being natted to public ip address qq.ww.ee.rr .


So, I should remove old statement and insert new statement. Will changing above config effect production? Must it be done after hours?

Jon Marshall Fri, 07/03/2009 - 04:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sam


If the old statement is not being used by anything else and it shouldn't be as it references only the sftp server then you can remove the old statement and put the new one in during production hours. I've done this many times.


But, if you are not that confident then i would always recommend doing it out of key production hours. Better to be safe than sorry :-)


Jon

saidfrh18 Fri, 07/03/2009 - 08:03
User Badges:

Jon,

We have "access-list outside-acl line 16 extended permit tcp any host qq.ww.ee.rr eq https". Should we still insert "no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr ? What difference does it make if we had all three statements?




Correct Answer
Jon Marshall Fri, 07/03/2009 - 08:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Sam


If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is


1) remove the line 11

2) add in the line for the specific port of 22


both of the above covered in the previous post


3) leave the line in that allows https


Jon

saidfrh18 Wed, 07/08/2009 - 12:45
User Badges:

Jon,


The following changes in the ASA config still will not allow FTP client to ssh to the SFTP server. Do you have any suggestions? FYI, One client software reverts to port 990, another client software automaticaly reverts to port 21. Any advise would be appreciative. Would TCP port(s) 22 need to be explicitly opened on the perimeter router?

Thanks.

Said

robertson.michael Thu, 07/02/2009 - 12:43
User Badges:
  • Silver, 250 points or more

Edit: Looks like this already been said. Please disregard.


-Mike




Sam,


While the access-list statement you posted would probably work (you could tighten it down even further by adding 'eq 22' to the end of the line), we would need to see more of your configuration before we can confirm with certainty. At a minimum, you also need to check:


-You have correctly configured NAT

-There are no conflicting statements in the "outside-acl" access list

-The "outside-acl" access list is applied to the outside interface in the inbound direction


Feel free to post a bit more of your sanitized config and we will be able to give you a more definitive answer.


Hope that helps.


-Mike

Actions

This Discussion