No announcement yet.

control plane ACL/limiting SSH access

  • Filter
  • Time
  • Show
Clear All
new posts

  • control plane ACL/limiting SSH access

    I am looking for a way to allow SSH access from the outside to my ASA(running 8.21), but deny it from specific hosts(ones that I see attempting brute force attacks). I know you can only allow SSH from specified hosts, but I cannot figure out how to block traffic from specific hosts. I have tried using control-place ACLs, but the way it handles processing if I use the ssh outside, it ignores the control plane line, and if I remove that line, I See hits on the contrl place acl, but it will not let me in. Any ideas? I know you can do this on a router.

  • #2
    Re: control plane ACL/limiting SSH access

    Hi rpcblast,

    Do you have a specific network that you are trying to allow ssh access to your outside interface? It seems like it is a lot of work to deny individual host ssh access if they are tryin to perform a ssh brute force attack.

    Using the ssh command is going to overide any acl entry you place explicitly denying ssh. The reason for this is that once you allow a host/network access to an interface for management it will implicitly deny all connections that are not specified, thus preventing from having to explicitly deny host trying to ssh brute force. I was doing some basic test on one of my lab ASA's and that is the only thing I can come up with.

    Maybe someone else on the list can shed some more light on this or has another perspective on the issue.

    Last edited by ryansmitty; 25th August 2009, 21:57.