07-02-2009 12:37 PM - edited 03-11-2019 08:50 AM
We have a sftp server on the dmz. Will the following access list allow outside users to access the sftp server on port 22 from the outside?
access-list outside-acl extended permit tcp any host qq.ww.ee.rr
Solved! Go to Solution.
07-02-2009 01:31 PM
Sam
It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.
To answer your question
no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr
access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh
Jon
07-03-2009 08:11 AM
Sam
If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is
1) remove the line 11
2) add in the line for the specific port of 22
both of the above covered in the previous post
3) leave the line in that allows https
Jon
07-02-2009 12:39 PM
That looks like it should work. You only need two more things (which you probably already have): apply the ACL to the outside interface in the inbound direction, and make sure the IP you use in the ACL is the outside NAT of your sftp server.
Good luck!
07-02-2009 12:40 PM
Sam
Use the IP address rather than the host name and include the port number ie.
access-list outside-acl extended permit tcp any host x.x.x.x eq 22
Jon
07-02-2009 12:45 PM
Thanks Jon, Aha, the access-list must include eq 22. Folks from outside are not able to access the server. I will try it.
07-02-2009 01:23 PM
Jon,
The access list reads...Line 10...
access-list outside-acl line 11 extended permit tcp any host qq.ww.ee.rr
...line 16.
What is the procedure to insert the following on an ASA?
access-list outside-acl extended permit tcp any host qq.ww.ee.rr eq 22
Thanks.
07-02-2009 01:31 PM
Sam
It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.
To answer your question
no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr
access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh
Jon
07-02-2009 04:10 PM
The server is on dmz. the server has a private ip and is being natted to public ip address qq.ww.ee.rr .
So, I should remove old statement and insert new statement. Will changing above config effect production? Must it be done after hours?
07-03-2009 04:56 AM
Sam
If the old statement is not being used by anything else and it shouldn't be as it references only the sftp server then you can remove the old statement and put the new one in during production hours. I've done this many times.
But, if you are not that confident then i would always recommend doing it out of key production hours. Better to be safe than sorry :-)
Jon
07-03-2009 08:03 AM
Jon,
We have "access-list outside-acl line 16 extended permit tcp any host qq.ww.ee.rr eq https". Should we still insert "no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr ? What difference does it make if we had all three statements?
07-03-2009 08:11 AM
Sam
If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is
1) remove the line 11
2) add in the line for the specific port of 22
both of the above covered in the previous post
3) leave the line in that allows https
Jon
07-08-2009 12:45 PM
Jon,
The following changes in the ASA config still will not allow FTP client to ssh to the SFTP server. Do you have any suggestions? FYI, One client software reverts to port 990, another client software automaticaly reverts to port 21. Any advise would be appreciative. Would TCP port(s) 22 need to be explicitly opened on the perimeter router?
Thanks.
Said
07-02-2009 12:43 PM
Edit: Looks like this already been said. Please disregard.
-Mike
Sam,
While the access-list statement you posted would probably work (you could tighten it down even further by adding 'eq 22' to the end of the line), we would need to see more of your configuration before we can confirm with certainty. At a minimum, you also need to check:
-You have correctly configured NAT
-There are no conflicting statements in the "outside-acl" access list
-The "outside-acl" access list is applied to the outside interface in the inbound direction
Feel free to post a bit more of your sanitized config and we will be able to give you a more definitive answer.
Hope that helps.
-Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: