{"id":825,"date":"2022-02-01T09:40:33","date_gmt":"2022-02-01T08:40:33","guid":{"rendered":"https:\/\/www.labtinker.net\/?p=825"},"modified":"2022-02-01T09:40:33","modified_gmt":"2022-02-01T08:40:33","slug":"cisco-asa-and-non-std-ssh-v2","status":"publish","type":"post","link":"https:\/\/labtinker.net\/?p=825","title":{"rendered":"Cisco ASA and non-std SSH – the reprise"},"content":{"rendered":"\n

Any readers of this blog will possibly remember that I compared a few different vendors’ firewalls to see how easy it was to configure them to block ssh access when it was running on the non-standard port of tcp 80 which is typically used by http. (This is a little contrived because anyone trying to get out like this would probably use tcp 443 giving us the complication of encryption but it gives a feel for how easy it is to configure application inspection)<\/p>\n\n\n\n

During this process I had problems with the Cisco ASA and disqualified it from my trial. However, would you believe I have had countless emails asking me when I would give it a second chance? No, neither would I. Nonetheless I decided to revist the ASA.<\/p>\n\n\n\n

This is the topology:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The stages of the test will follow the trials conducted earlier. We will set up the firewall with a rule allowing port 80 or http traffic out from the DMZ and stand up a server running ssh on port 80 (ssh.labtinker.net). We will then see if we can ssh out through the firewall on port 80 from the linux server running on the DMZ.<\/p>\n\n\n\n

I can report that with a rule allowing http (amongst other things but not ssh!)…<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I was able to connect straight away to my ssh server.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I knew the ASA already did some from of application inspection out of the box using its default global service policy but checking this out I saw that it didn’t cover http<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I added ‘http’ to this policy <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I then tried my ssh connection out on port 80 and it was still allowed…. I won’t bother with the visual evidence this time but obvioulsy the default http application inspection didn’t stop ssh. <\/p>\n\n\n\n

I realised I was going to have to delve into modular policy framework which is what Cisco uses to do application inspection (amongst other things). I never found it hugely intuitive so I determined that I would satisfy myself that I could get it working before trying to use it to block ssh. I chose as a way of doing this allowing access to 18.135.13.153\/<\/em> but blocking access to www.labtinker.co.uk<\/em>; mainly because someone had already given an example of how to do something similar.<\/p>\n\n\n\n

\n
Cisco ASA MPF URL Filtering<\/a><\/blockquote>