https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3216890#M1047244 <P>Hi Mikael</P> <P>&nbsp;</P> <P>Thanks for your reply.</P> <P>&nbsp;</P> <P>There is no dynamic access policy or filter configured on both firewalls unless there is a default one.</P> <P>&nbsp;</P> <P>Regarding SSH. I am trying to SSH to the remote firewall from the behind the headoffice firewall But I am bypassing the VPN tunnel for SSH connection. I can see the packets reaches at the remote firewall but return traffic is directed to the VPN tunnel which causes SSH connection failure.</P> <P>&nbsp;</P> <P>Let me know if you need more information regarding SSH.</P> <P>&nbsp;</P> <P>Thanks</P> <P>Ibrahim</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 15 Nov 2017 09:58:58 GMT mibrahim 2017-11-15T09:58:58Z https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3216342#M1047214 <P>Hi All</P> <P>I have got an ASA on the main site connected to few ASAs on the remote site through VPN. On remote site ASAs there are dynamic ACLs created which cannot be seen in the configuration.</P> <P>&nbsp;</P> <P>But when I issue the command "show access-list" then they can be seen. Don't know why they have been created. It shows like as below:</P> <P>&nbsp;</P> <P><FONT color="#800000"><STRONG><EM>access-list AO_temp_vpn.hosted10; 1 elements; name hash: 0xa6a80175 (dynamic)</EM></STRONG></FONT></P> <P><FONT color="#800000"><STRONG><EM>access-list AO_temp_vpn.hosted10 line 1 extended permit ip host 10.222.1.9 host 172.16.1.217 (hitcnt=20183) 0x3ced7956 </EM></STRONG></FONT></P> <P>&nbsp;</P> <P>There is no ACL created with the name <EM><FONT color="#800000">AO_temp_vpn.hosted10</FONT></EM>. However the IP addresses shown in the ACL are the endpoints of the VPN. On one of the remote site ASA, I am trying to SSH the outside interface but I am unable to connect and everytime I try to connect I see the hitcount on the above ACL.</P> <P>&nbsp;</P> <P>Does anyone know why the ACL was automatically created? Secondly why SSH traffic is hitting the ACL when it is not matching the interested VPN traffic.</P> <P>&nbsp;</P> <P>The ASAs are running code&nbsp;8.6(1)12</P> <P>&nbsp;</P> <P>Thanks in Advance</P> <P>Ibrahim</P> Fri, 21 Feb 2020 14:45:02 GMT https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3216342#M1047214 mibrahim 2020-02-21T14:45:02Z https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3216528#M1047226 <P>Hi,<BR /><BR />Sounds like your are using DAP or Filter on the head-end device.<BR />So when the remote "client" connects to the vpn it will download a dynamic acl to the remove client.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6</A></P> <P><BR />For SSH question I have no idea, you need to give more information.<BR /><BR />br, Micke</P> Tue, 14 Nov 2017 19:40:51 GMT https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3216528#M1047226 mikael.lahtela 2017-11-14T19:40:51Z https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3216890#M1047244 <P>Hi Mikael</P> <P>&nbsp;</P> <P>Thanks for your reply.</P> <P>&nbsp;</P> <P>There is no dynamic access policy or filter configured on both firewalls unless there is a default one.</P> <P>&nbsp;</P> <P>Regarding SSH. I am trying to SSH to the remote firewall from the behind the headoffice firewall But I am bypassing the VPN tunnel for SSH connection. I can see the packets reaches at the remote firewall but return traffic is directed to the VPN tunnel which causes SSH connection failure.</P> <P>&nbsp;</P> <P>Let me know if you need more information regarding SSH.</P> <P>&nbsp;</P> <P>Thanks</P> <P>Ibrahim</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 15 Nov 2017 09:58:58 GMT https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3216890#M1047244 mibrahim 2017-11-15T09:58:58Z https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3306086#M1047271 <P>Hi</P> <P>&nbsp;</P> <P>The problem has been fixed.</P> <P>&nbsp;</P> <P>The VPN tunnels were configured using Answer-Only option in Crypto Map on the remote site firewalls.</P> <P>&nbsp;</P> <P>The dynamic ACL was also related to the Answer-Only option and for some reason the return traffic for SSH connection was hitting that ACL.</P> <P>&nbsp;</P> <P>The problem was resolved by removing and Answer-Only option and putting it back in the Crypto Map.</P> <P>&nbsp;</P> <P>The tunnel is now up with Answer-only option and I am also able to SSH to the outside interface.</P> <P>&nbsp;</P> <P>Regards</P> <P>Muhammad Ibrahim</P> <P>&nbsp;</P> Thu, 04 Jan 2018 14:54:59 GMT https://community.cisco.com/t5/network-security/dynamic-access-list-on-asa/m-p/3306086#M1047271 mibrahim 2018-01-04T14:54:59Z