I have an inside host configured with it's own external IP (not the outside IP), that seems to be ignoring the ACL configured for the outside interface. All traffic is passing.
My config looks like this:
ip address 172.16.33.253 255.255.255.0
ip address XXX.XXX.XXX.1 255.255.255.248
object network host-dunstable-blackberry
nat (inside,outside) static XXX.XXX.XXX.2
access-list acl-outside-in extended deny tcp any object host-dunstable-blackberry eq ssh
access-group acl-outside-in in interface outside
XXX.XXX.XXX.2 falls within XXX.XXX.XXX.1 255.255.255.248
Even so, I'm still able to SSH from an unrelated IP, to XXX.XXX.XXX.2, and access my server.
Does anybody have any ideas? Is this by design? If so, how can I restrict access to this machine?
Any help would be greatly appreciated,
Can you provide us with the output of the following command (Naturally fill in the actual public IP)
packet-tracer input outside tcp 188.8.131.52 12345 x.x.x.2 22
This should probably tell us what is allowing the traffic.