Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Block SSH and allow SFTP

Hello Guys,

Is there any way to block SSH and allow only SFTP?

Thanks in advance

6 REPLIES

Re: Block SSH and allow SFTP

No - SSH and SFTP use the same default TCP port of 22.

Now what you can do is change the server to use a different SFTP port instead of TCP/22 - to something else.

HTH>

New Member

Re: Block SSH and allow SFTP

How do you block ssh version 1 and allow only ssh version 2 across the ASA?

Re: Block SSH and allow SFTP

AFAIK - the ASA will not inspect the version of SSH as it passes thru it. If you only want to allow version 2 of SSH - then configure the server to only accept version 2

Silver

Re: Block SSH and allow SFTP

That is NOT an acceptable solution. Let say that your SSH server is located in the DMZ network and that you want to make it accessible to both Intranet and Internet users. With Intranet users, you want to give them the option to use either ssh version 1 or version 2; however, for Internet users, they are forced to use ssh version 2 for enhanced security. Most people want to it on the firewall which makes sense.

Re: Block SSH and allow SFTP

So how do you configure the firewall to filter on the version then, as the version is session based information?

Silver

Re: Block SSH and allow SFTP

I have not used ASA in a while so I could be wrong here but it can not be done on ASA appliance.

Other vendors such as Juniper and Checkpoint, you can define a service "ssh" and "ssh_version_2". That way, the firewall can look at the initial hand-shake of the ssh connection and determine whether it is an ssh version 1 or ssh version 2 connection. If you specify ssh, it will assume both version 1 and version 2. If you specify ssh version_2, it will only accept only version through the firewall.

For intranet users, you use ssh. For Internet users that require enhanced security, only ssh version 2 is allowed.

2532
Views
0
Helpful
6
Replies
CreatePlease to create content