This is a continuation of the question started at http:Q_23836442.html
. As was rightly pointed out, the nature of the question has changed and so I am closing that one and starting this one.
I only want client B's server to be able to connect to an SFTP server on client A's server and receive the necessary replies. I don't want any of client B's other servers to connect to any other server behind client A's interface, nor any of client B's servers to any other service on client A's SFTP server. I don't want client A's server(s) to be able to connect to client B's server. I don't want client C to connect to (or be connected to from) client A or B.
I've managed to get it as far as allowing all traffic from client B's server to client A's SFTP server, but I can't yet limit it to TCP port 22 traffic only.
Given my ASA running config (abstract below), what should I apply to allow only client B to connect to client A and only for port 22 (SSH)?
ip address SITE_WAN_IP 255.255.255.248
ip address CLIENT_C_GATEWAY_LAN_IP 255.255.255.0
ip address CLIENT_A_GATEWAY_LAN_IP 255.255.255.0
ip address CLIENT_B_GATEWAY_LAN_IP 255.255.255.0
same-security-traffic permit inter-interface
access-list in1_nat0_outbound extended permit tcp host CLIENT_A_SERVER_LAN_IP eq ssh host CLIENT_B_SERVER_LAN_IP eq ssh
access-list in1_nat0_outbound remark ^^^ Workaround to allow Client B to upload to Client A SFTP
access-list in2_nat0_outbound extended permit tcp host CLIENT_B_SERVER_LAN_IP eq ssh host CLIENT_A_SFTP_SERVER_LAN_IP eq ssh
access-list in2_nat0_outbound remark ^^^ Workaround to allow Client B to upload to Client A SFTP
nat (in0) 0 access-list in0_nat0_outbound
nat (in0) 10 0.0.0.0 0.0.0.0
nat (in1) 0 access-list in1_nat0_outbound
nat (in1) 10 0.0.0.0 0.0.0.0
nat (in2) 0 access-list in2_nat0_outbound
nat (in2) 10 0.0.0.0 0.0.0.0
static (in2,out0) tcp CLIENT_A_WAN_IP www CLIENT_A_WEB_SERVER_LAN_IP www netmask 255.255.255.255
static (in2,out0) tcp CLIENT_A_WAN_IP https CLIENT_A_WEB_SERVER_LAN_IP https netmask 255.255.255.255
static (in2,out0) tcp CLIENT_A_WAN_IP ssh CLIENT_A_SFTP_SERVER_LAN_IP ssh netmask 255.255.255.255