cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4122
Views
0
Helpful
3
Replies

Dynamic Access list on ASA

mibrahim
Level 1
Level 1

Hi All

I have got an ASA on the main site connected to few ASAs on the remote site through VPN. On remote site ASAs there are dynamic ACLs created which cannot be seen in the configuration.

 

But when I issue the command "show access-list" then they can be seen. Don't know why they have been created. It shows like as below:

 

access-list AO_temp_vpn.hosted10; 1 elements; name hash: 0xa6a80175 (dynamic)

access-list AO_temp_vpn.hosted10 line 1 extended permit ip host 10.222.1.9 host 172.16.1.217 (hitcnt=20183) 0x3ced7956

 

There is no ACL created with the name AO_temp_vpn.hosted10. However the IP addresses shown in the ACL are the endpoints of the VPN. On one of the remote site ASA, I am trying to SSH the outside interface but I am unable to connect and everytime I try to connect I see the hitcount on the above ACL.

 

Does anyone know why the ACL was automatically created? Secondly why SSH traffic is hitting the ACL when it is not matching the interested VPN traffic.

 

The ASAs are running code 8.6(1)12

 

Thanks in Advance

Ibrahim

1 Accepted Solution

Accepted Solutions

Hi

 

The problem has been fixed.

 

The VPN tunnels were configured using Answer-Only option in Crypto Map on the remote site firewalls.

 

The dynamic ACL was also related to the Answer-Only option and for some reason the return traffic for SSH connection was hitting that ACL.

 

The problem was resolved by removing and Answer-Only option and putting it back in the Crypto Map.

 

The tunnel is now up with Answer-only option and I am also able to SSH to the outside interface.

 

Regards

Muhammad Ibrahim

 

View solution in original post

3 Replies 3

mikael.lahtela
Level 4
Level 4

Hi,

Sounds like your are using DAP or Filter on the head-end device.
So when the remote "client" connects to the vpn it will download a dynamic acl to the remove client.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6


For SSH question I have no idea, you need to give more information.

br, Micke

Hi Mikael

 

Thanks for your reply.

 

There is no dynamic access policy or filter configured on both firewalls unless there is a default one.

 

Regarding SSH. I am trying to SSH to the remote firewall from the behind the headoffice firewall But I am bypassing the VPN tunnel for SSH connection. I can see the packets reaches at the remote firewall but return traffic is directed to the VPN tunnel which causes SSH connection failure.

 

Let me know if you need more information regarding SSH.

 

Thanks

Ibrahim

 

 

 

Hi

 

The problem has been fixed.

 

The VPN tunnels were configured using Answer-Only option in Crypto Map on the remote site firewalls.

 

The dynamic ACL was also related to the Answer-Only option and for some reason the return traffic for SSH connection was hitting that ACL.

 

The problem was resolved by removing and Answer-Only option and putting it back in the Crypto Map.

 

The tunnel is now up with Answer-only option and I am also able to SSH to the outside interface.

 

Regards

Muhammad Ibrahim

 

Review Cisco Networking for a $25 gift card