Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Public servers, protocol and port restriction on outside interface

Hi folks,

While setting up access to some internal servers that should be accessible from the outside, I noticed that I wasn't able to connect via port translated SSH, unless I allowed TCP and UDP on the outside interface, see rules below. The FakeSSH is SSH access, but with a custom port, that translates to standard SSH for the real server. The UDP is untranslated for a monitoring app.

I feel a bit queasy allowing ports that are not needed on the outside, though there are no corresponding NAT rules that can be usede for attacks. How can I restrict ports and protocols only to a bare minimum?

Best regards,

Peter

object network Server_Mail

host 192.168.0.212

object network Servicehelper

host 192.168.0.213

object network FakeSSH

host 192.168.0.213

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit object SMTP_Service any object Server_Mail

access-list outside_access_in extended permit object-group TCPUDP any object Servicehelper

!

object network Server_Mail

nat (inside,outside) static interface service tcp smtp smtp

object network Servicehelper

nat (inside,outside) static interface service udp 38885 38885

object network FakeSSH

nat (inside,outside) static interface service tcp ssh 27210

nat (inside,outside) after-auto source dynamic any interface

access-group outside_access_in in interface outside

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Public servers, protocol and port restriction on outside int

Hi,

Did you first try allowing traffic to the port TCP/22?

Notice that with the 8.3+ introduced changes to NAT and ACL mean that you will be allowing traffic to the Real IP Address and Real Port.

This is because when the packet from the Internet arrives to the ASA "outside" interface the ASA will first UN-NAT the destination IP address and its port. So after that is done the actual ACL check will be done. And that means the destination IP/port has changed to 192.168.0.213 TCP/22

So your ACL for the SSH connection should be

access-list outside_access_in extended permit tcp any object FakeSSH eq 22

Let me know if that does it. Remove the TCP/UDP permitting rule before you try it out.

- Jouni

2 REPLIES
Super Bronze

Re: Public servers, protocol and port restriction on outside int

Hi,

Did you first try allowing traffic to the port TCP/22?

Notice that with the 8.3+ introduced changes to NAT and ACL mean that you will be allowing traffic to the Real IP Address and Real Port.

This is because when the packet from the Internet arrives to the ASA "outside" interface the ASA will first UN-NAT the destination IP address and its port. So after that is done the actual ACL check will be done. And that means the destination IP/port has changed to 192.168.0.213 TCP/22

So your ACL for the SSH connection should be

access-list outside_access_in extended permit tcp any object FakeSSH eq 22

Let me know if that does it. Remove the TCP/UDP permitting rule before you try it out.

- Jouni

New Member

Re: Public servers, protocol and port restriction on outside int

Thanks again Jouni! Worked perfectly!

I'm from the Linux world, used to IP-tables and that stuff, so the workings of the Cisco ASA appliances is a bit awkward to me.

Wish you a nice weekend :-)

Peter

116
Views
0
Helpful
2
Replies