Security Basics mailing list archives
Re: access-list outside_access_in permitting ssh from specific hosts/ip's
From: ddidier () netsecureia com
Date: 13 May 2008 14:12:45 -0000
secrookie, the ACLs that you posted will not permit ssh through you PIX, but rather to the outside interface only. You need to specify the destination of the ssh traffic. To do this, you'll probably need to have static nat statements mapping the internal IP to an external, publicly accessible IP. If your previous ACL worked, then you most likely already have this in-place. An example allowing SSH access to all hosts: access-list outside_access_in line 12 permit tcp any host x.x.x.x eq ssh You can see that I've replaced the 'interface outside' statement with 'host x.x.x.x' where x.x.x.x is the public IP of the system you would like to allow SSH to. You could also specify 'any' and that would look as follows: access-list outside_access_in line 12 permit tcp any any eq ssh However, if possible, I also recommend that you limit the hosts that can connect to your systems via SSH. With your current ACL you are allowing any host on the Internet to connect to your systems via SSH. If you know the source networks or hosts, I highly recommend limiting access to only these sources! To do this, you would simply specify the source with the correct network or host. That might look like this: access-list outside_access_in line 12 permit tcp host 4.4.4.4 any eq ssh or a network: access-list outside_access_in line 12 permit tcp 4.4.0.0 255.255.0.0 any eq ssh I used the 4.4.4.4 host and 4.4.0.0/16 network only as an example. You would need to know the specifics for your environment. I hope this helps! and don't forget to turn on logging! Dan www.netsecureia.com
Current thread:
- access-list outside_access_in permitting ssh from specific hosts/ip's secrookie () gmail com (May 12)
- <Possible follow-ups>
- Re: access-list outside_access_in permitting ssh from specific hosts/ip's ddidier (May 13)