Cisco ASA - Enabling SSH from any outside source to specific internal IP.


I have been tasked with enabling SFTP from any outside source IP to a specific inside destination IP address.

I have entered the following static mapping and ACL, but it is still not working.  There is also a pre-existing object group defined with "port-object eq ssh" What am I missing here?

static (inside,outside) tcp ssh ssh netmask tcp 250 250

access-list inbound extended permit tcp host host eq ssh
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
The outside source address will never ever be "host". Replace that with the keyword "any".

Best regards

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
check if the ACL does not have an entry that blocks your traffic.
the first ACL hist matters.
static (inside,outside) outsideip insideip netmask
access-list inbound extended permit tcp any host outsideip eq ssh
access-group inbound in interface outside
Kaiden_PAuthor Commented:
I did exactly as instructed and replaced "host" with the keyword "any" and it is now working.  

Why did ASA accept command in the first place though?
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
The ASA accepts the command since it is proper syntax. "host" means "exactly" and can be done for any ip address. If you wanna allow ip packets whose source ip address is "" you do "host" (and that kind of traffic actually exists, in theory. For example with dhcp requests).

But still "host" and "any" is not the same thing. Its not even close. ;)

Another way to say "any" in an access-list is to do something like "" where the second row of 0:s is an netmask stating "whatever". Maybe you confuse this with "host" but the latter is actually equevalent to "".

I am afraid I just confused you even more here. Sorry about that. :-)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.