Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allow scp but not ssh

With an ASA is there a way for it to allow scp(port 22) traffic from a host to another host but deny ssh(port 22)? Obviously this an encrypted protocol but I do not know if there is some difference between the two that can be matched.

Everyone's tags (1)

Hi,This is quite tricky but


This is quite tricky but SCP is a protocol which uses SSH for data transfers. As per my knowledge it cannot be seperated. Rather SSH can be limited on the end devices or you can make the different port number to use SCP transfers.


A Quick and Brief information on how SCP works:

Normally, a client initiates an SSH connection to the remote host, and requests an SCP process to be started on the remote server. The remote SCP process can operate in one of two modes: source mode, which reads files (usually from disk) and sends them back to the client, or sink mode, which accepts the files sent by the client and writes them (usually to disk) on the remote host. For most SCP clients, source mode is generally triggered with the -f flag (from), while sink mode is triggered with -t (to).[2] These flags are used internally and are not documented outside the SCP source code.


Hope this helps



VIP Green

I do not believe what you

I do not believe what you want to do is possible while keeping port 22 in use for both.  I suggest changing the port used for either SSH or SCP and then deny the port that the SSH protocol uses (22 unless that is the one you changed).


Please remember to select a correct answer and rate helpful posts


Please remember to rate and select a correct answer
CreatePlease to create content