Thanks for reading!
We have an outside user who's been impacted by an improper deploy of SFTP. The workaround allowing them to connect is this rule:
access-list outside_access_in_1 extended permit tcp any host <my server's outside ip> range 49000 65535
I entered an FTP rule opening ports 50000 50010 (according to documentation) but no success.
Is there a "dynamic ports" type of rule which would allow me to open fewer than the 16535 ports? The incoming FTP connection has generates a dynamic port <50000.
I'd like to furhter close the hole by naming the protocol.
Thanks again for reading!
In the ACE you defined, the range is from 49000 - 65535, but later in your question you mention less than 50,000. I'm a little confused by what you are asking.
However, if you are hosting the server, then the client should be connecting to your server's IP on port 22, and sourced from some dynamic port. Therefore, the ACL should be something like:
access-list outside permit tcp any host eq 22
But, what your ACL says, is that anyone can connect to your server on ports from 49000 to 65535. Which doesn't make sense.
Now, if the client used source ports <50000, and your server was hosting SFTP on port 22, then you could write an ACL such as:
access-list outside permit tcp host lt 50000 host eq 22
Which would be about as locked down as you could get it.