Re: access-list outside_access_in permitting ssh from specific hosts/ip's

[ddidier () netsecureia com]

secrookie,
the ACLs that you posted will not permit ssh through you PIX, but rather to the outside interface only.  You need to 
specify the destination of the ssh traffic.  To do this, you'll probably need to have static nat statements mapping the 
internal IP to an external, publicly accessible IP.  If your previous ACL worked, then you most likely already have 
this in-place.  

An example allowing SSH access to all hosts:
access-list outside_access_in line 12 permit tcp any host x.x.x.x eq ssh

You can see that I've replaced the 'interface outside' statement with 'host x.x.x.x' where x.x.x.x is the public IP of 
the system you would like to allow SSH to.  You could also specify 'any' and that would look as follows:

access-list outside_access_in line 12 permit tcp any any eq ssh

However, if possible, I also recommend that you limit the hosts that can connect to your systems via SSH.  With your 
current ACL you are allowing any host on the Internet to connect to your systems via SSH.  If you know the source 
networks or hosts, I highly recommend limiting access to only these sources!  

To do this, you would simply specify the source with the correct network or host.  That might look like this:

access-list outside_access_in line 12 permit tcp host 4.4.4.4 any eq ssh

or a network:

access-list outside_access_in line 12 permit tcp 4.4.0.0 255.255.0.0 any eq ssh

I used the 4.4.4.4 host and 4.4.0.0/16 network only as an example.  You would need to know the specifics for your 
environment.  I hope this helps! and don't forget to turn on logging!

Dan
www.netsecureia.com