Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
642
Views
10
Helpful
9
Replies

Can't ASDM/Piing/SSH my ASA from outside after Dynamic VPN applied

m.alkhateeb90
Level 1
Level 1

‎02-22-2017 03:08 PM

Dears,

As the title imply, after applying a dynamic VPN on the outside interface of my firewall i can't seem to access it from outside, i need this to continue configuring my ASA after migration i'll close the access.

Attached my configuration.

Labels:
Preview file
18 KB
0 Helpful
9 Replies 9

Rahul Govindan
VIP Alumni
VIP Alumni

‎02-22-2017 04:51 PM

Your dynamic map has an ACL that is basically matches any ip traffic.

access-list Outside_cryptomap_65535.1 extended permit object-group DM_INLINE_PROTOCOL_1 any4 any4

Remove the following statement from your dynamic map as you really don't need an ACL for a dynamic map

crypto dynamic-map Outside_dyn_map 1 match address Outside_cryptomap_65535.1

0 Helpful

m.alkhateeb90
Level 1
Level 1
In response to Rahul Govindan

‎02-23-2017 12:52 AM

Thanks for your reply Rahul.

removed the Access list but still couldn't reach it.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to m.alkhateeb90

‎02-23-2017 02:42 PM

If there are any tunnels still up, they might have that ACL being used. Just to be clear, if you remove the dynamic crypto map, everything works? And when you put it back it starts failing?

m.alkhateeb90
Level 1
Level 1
In response to Rahul Govindan

‎02-23-2017 05:09 PM

I did clear my tunnels after issuing the command. 

And yes once i remove the dynamic crypto map it starts working immediately. 

What i did yesterday is that i applied a different crypto map to the outside interface by mistake, so i logged back in using the public IP and could retrieve the configuration, once that happened i was sure its the crypto map that is causing the issue. 

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to m.alkhateeb90

‎02-27-2017 02:17 AM

Can you get the output of 'show run crypto dynamic map', 'show run crypto map' and 'show crypto ipsec sa' with all sensitive info removed?

m.alkhateeb90
Level 1
Level 1
In response to Rahul Govindan

‎02-27-2017 11:47 AM

Rahul,

Attached as per your request.

Preview file
26 KB
0 Helpful

m.alkhateeb90
Level 1
Level 1
In response to Rahul Govindan

‎02-28-2017 03:29 PM

Dear Rahul,

The issue have been resolved after upgrading my ASA to version 9.6.2, im able to login using ASDM now.

Thanks for your time and effort.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to m.alkhateeb90

‎02-28-2017 04:28 PM

Thanks for reverting back. The only other thing I could think of is the bug in ASDM where dynamic map automatically adds an any any crypto ACL which kills traffic to the outside.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCuy41365

0 Helpful

m.alkhateeb90
Level 1
Level 1

‎02-26-2017 10:38 AM

Anyone?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents