11-14-2017 06:47 AM - edited 02-21-2020 06:45 AM
Hi All
I have got an ASA on the main site connected to few ASAs on the remote site through VPN. On remote site ASAs there are dynamic ACLs created which cannot be seen in the configuration.
But when I issue the command "show access-list" then they can be seen. Don't know why they have been created. It shows like as below:
access-list AO_temp_vpn.hosted10; 1 elements; name hash: 0xa6a80175 (dynamic)
access-list AO_temp_vpn.hosted10 line 1 extended permit ip host 10.222.1.9 host 172.16.1.217 (hitcnt=20183) 0x3ced7956
There is no ACL created with the name AO_temp_vpn.hosted10. However the IP addresses shown in the ACL are the endpoints of the VPN. On one of the remote site ASA, I am trying to SSH the outside interface but I am unable to connect and everytime I try to connect I see the hitcount on the above ACL.
Does anyone know why the ACL was automatically created? Secondly why SSH traffic is hitting the ACL when it is not matching the interested VPN traffic.
The ASAs are running code 8.6(1)12
Thanks in Advance
Ibrahim
Solved! Go to Solution.
01-04-2018 06:54 AM
Hi
The problem has been fixed.
The VPN tunnels were configured using Answer-Only option in Crypto Map on the remote site firewalls.
The dynamic ACL was also related to the Answer-Only option and for some reason the return traffic for SSH connection was hitting that ACL.
The problem was resolved by removing and Answer-Only option and putting it back in the Crypto Map.
The tunnel is now up with Answer-only option and I am also able to SSH to the outside interface.
Regards
Muhammad Ibrahim
11-14-2017 11:36 AM - edited 11-14-2017 11:40 AM
Hi,
Sounds like your are using DAP or Filter on the head-end device.
So when the remote "client" connects to the vpn it will download a dynamic acl to the remove client.
For SSH question I have no idea, you need to give more information.
br, Micke
11-15-2017 01:58 AM
Hi Mikael
Thanks for your reply.
There is no dynamic access policy or filter configured on both firewalls unless there is a default one.
Regarding SSH. I am trying to SSH to the remote firewall from the behind the headoffice firewall But I am bypassing the VPN tunnel for SSH connection. I can see the packets reaches at the remote firewall but return traffic is directed to the VPN tunnel which causes SSH connection failure.
Let me know if you need more information regarding SSH.
Thanks
Ibrahim
01-04-2018 06:54 AM
Hi
The problem has been fixed.
The VPN tunnels were configured using Answer-Only option in Crypto Map on the remote site firewalls.
The dynamic ACL was also related to the Answer-Only option and for some reason the return traffic for SSH connection was hitting that ACL.
The problem was resolved by removing and Answer-Only option and putting it back in the Crypto Map.
The tunnel is now up with Answer-only option and I am also able to SSH to the outside interface.
Regards
Muhammad Ibrahim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide