I have an ASA 5510 and port 22 is open. I thought by default that it should be blocked but when I check to see if the port is open by a website (e.g.,
http://www.yougetsignal.com/tools/open-ports) it shows that it is open. I opened Ports 80, 443, and 25. I added an access list by CLI and ASDM but it still shows that port 22 is open. Here is the script #access-list 100 extended deny tcp any any eq 22 and I done the same using ASDM but substituted ssh for the port number. Does anyone know why this port is open? I saw some activity on my firewall that someone (with an IP address based in China) was trying to access my network via port 22. I think they were running a port scanner. But I have no need to have port 22 open.
The ACLs will generally just block traffic through the ASA, not to the ASA.
In the newer softwares you have the option to build an ACL to block traffic destined to an actual ASA interface IP address
access-group in interface control-plane
This ACL should naturally be something used only for this purpose and not use an existing ACL.
Though regarding your SSH problem you might have enabled SSH management from behind "outside" with "any" source address
ssh 0.0.0.0 0.0.0.0 outside
You can check this with the command
show run ssh
The earlier command I mentioned overrides even the ACL setting that is used to limit connectivity to the ASA itself. So you might want to check how you SSH management setting is configured. This might be causing the results you are seeing.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :