cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
9
Helpful
11
Replies

Access list

saidfrh18
Level 1
Level 1

We have a sftp server on the dmz. Will the following access list allow outside users to access the sftp server on port 22 from the outside?

access-list outside-acl extended permit tcp any host qq.ww.ee.rr

2 Accepted Solutions

Accepted Solutions

Sam

It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.

To answer your question

no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr

access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh

Jon

View solution in original post

Sam

If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is

1) remove the line 11

2) add in the line for the specific port of 22

both of the above covered in the previous post

3) leave the line in that allows https

Jon

View solution in original post

11 Replies 11

branfarm1
Level 4
Level 4

That looks like it should work. You only need two more things (which you probably already have): apply the ACL to the outside interface in the inbound direction, and make sure the IP you use in the ACL is the outside NAT of your sftp server.

Good luck!

Jon Marshall
Hall of Fame
Hall of Fame

Sam

Use the IP address rather than the host name and include the port number ie.

access-list outside-acl extended permit tcp any host x.x.x.x eq 22

Jon

Thanks Jon, Aha, the access-list must include eq 22. Folks from outside are not able to access the server. I will try it.

Jon,

The access list reads...Line 10...

access-list outside-acl line 11 extended permit tcp any host qq.ww.ee.rr

...line 16.

What is the procedure to insert the following on an ASA?

access-list outside-acl extended permit tcp any host qq.ww.ee.rr eq 22

Thanks.

Sam

It should still work with only tcp so it looks like you need to check your NAT setup. What is the IP address of the server and is this server being natted to a public IP. If it is natted then you need to use the public IP in your acl entry.

To answer your question

no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr

access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr eq ssh

Jon

The server is on dmz. the server has a private ip and is being natted to public ip address qq.ww.ee.rr .

So, I should remove old statement and insert new statement. Will changing above config effect production? Must it be done after hours?

Sam

If the old statement is not being used by anything else and it shouldn't be as it references only the sftp server then you can remove the old statement and put the new one in during production hours. I've done this many times.

But, if you are not that confident then i would always recommend doing it out of key production hours. Better to be safe than sorry :-)

Jon

Jon,

We have "access-list outside-acl line 16 extended permit tcp any host qq.ww.ee.rr eq https". Should we still insert "no access-list outside-acl line 11 permit tcp any host qq.ww.ee.rr ? What difference does it make if we had all three statements?

Sam

If you have all 3 statements then all tcp ports are allowed from the internet to your server. What you should do is

1) remove the line 11

2) add in the line for the specific port of 22

both of the above covered in the previous post

3) leave the line in that allows https

Jon

Jon,

The following changes in the ASA config still will not allow FTP client to ssh to the SFTP server. Do you have any suggestions? FYI, One client software reverts to port 990, another client software automaticaly reverts to port 21. Any advise would be appreciative. Would TCP port(s) 22 need to be explicitly opened on the perimeter router?

Thanks.

Said

Edit: Looks like this already been said. Please disregard.

-Mike

Sam,

While the access-list statement you posted would probably work (you could tighten it down even further by adding 'eq 22' to the end of the line), we would need to see more of your configuration before we can confirm with certainty. At a minimum, you also need to check:

-You have correctly configured NAT

-There are no conflicting statements in the "outside-acl" access list

-The "outside-acl" access list is applied to the outside interface in the inbound direction

Feel free to post a bit more of your sanitized config and we will be able to give you a more definitive answer.

Hope that helps.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: