cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4022
Views
0
Helpful
3
Replies

Dynamic Access list on ASA

mibrahim
Level 1
Level 1

Hi All

I have got an ASA on the main site connected to few ASAs on the remote site through VPN. On remote site ASAs there are dynamic ACLs created which cannot be seen in the configuration.

 

But when I issue the command "show access-list" then they can be seen. Don't know why they have been created. It shows like as below:

 

access-list AO_temp_vpn.hosted10; 1 elements; name hash: 0xa6a80175 (dynamic)

access-list AO_temp_vpn.hosted10 line 1 extended permit ip host 10.222.1.9 host 172.16.1.217 (hitcnt=20183) 0x3ced7956

 

There is no ACL created with the name AO_temp_vpn.hosted10. However the IP addresses shown in the ACL are the endpoints of the VPN. On one of the remote site ASA, I am trying to SSH the outside interface but I am unable to connect and everytime I try to connect I see the hitcount on the above ACL.

 

Does anyone know why the ACL was automatically created? Secondly why SSH traffic is hitting the ACL when it is not matching the interested VPN traffic.

 

The ASAs are running code 8.6(1)12

 

Thanks in Advance

Ibrahim

1 Accepted Solution

Accepted Solutions

Hi

 

The problem has been fixed.

 

The VPN tunnels were configured using Answer-Only option in Crypto Map on the remote site firewalls.

 

The dynamic ACL was also related to the Answer-Only option and for some reason the return traffic for SSH connection was hitting that ACL.

 

The problem was resolved by removing and Answer-Only option and putting it back in the Crypto Map.

 

The tunnel is now up with Answer-only option and I am also able to SSH to the outside interface.

 

Regards

Muhammad Ibrahim

 

View solution in original post

3 Replies 3