Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1963
Views
0
Helpful
5
Replies

Filtering traffic inside GRE tunnel

Gerald Vogt
Level 3
Level 3

‎02-21-2009 04:38 AM - edited ‎03-04-2019 03:40 AM

On a IOS 1812 router I have a GRE tunnel (over IPSec) set up and it is working. The router connects to the internet through a PPPoE connection using Dialer0. The configuration of the tunnel is as follows:

interface Tunnel1

ip address 10.10.10.1 255.255.255.252

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1420

no ip mroute-cache

keepalive 10 3

tunnel source Dialer0

tunnel destination 1.2.3.4

end

Now I want to set up a firewall to only accept incoming SMTP traffic and otherwise use the CBAC firewall to inspect all outgoing traffic.

So basically I add these two lines to the tunnel interface: (10.1.0.2 is the LAN IP address of the local SMTP server)

access-list 101 permit tcp any host 10.1.0.2 eq smtp log

access-list 101 deny ip any any log

ip inspect name tunnelfw tcp

ip inspect name tunnelfw udp

ip inspect name tunnelfw icmp

internet Tunnel 1

ip access-group 101 in

ip inspect tunnelfw out

end

This, however, does nothing at all. All traffic passes in both directions without problem through the tunnel. It is possible to connect from the remote side to any port on any IP address on the local LAN.

There is nothing logged, either, although the access-list has log statements.

If I add another access list for testing purposes to the out direction, I get all outgoing traffic properly logged:

access-list 102 permit ip any any log

interface Tunnel1

ip access-group 102 out

end

So it seems as if the GRE tunnel interface only allows outbound filtering but not inbound filtering. Is that true?

Even if I try this filtering:

access-list 101 deny ip any any log

internet Tunnel 1

ip access-group 101 in

end

All traffic passes in although the access list should filter all.

So how do I filter the traffic which is arriving from the remote side through my GRE tunnel?

Labels:
0 Helpful
5 Replies 5

paolo bevilacqua
Hall of Fame
Hall of Fame

‎02-21-2009 09:55 AM

Hi, you can filter outbound on your LAN interface.

Unrelated, recommend you re-enableIP CEF, remove ip tcp mss-adjust from tunnel, put on LAN if instead.

You can also enable encryption for gre with "tunnel protect" instead of separated ipsec config.

0 Helpful

Gerald Vogt
Level 3
Level 3
In response to paolo bevilacqua

‎02-22-2009 03:40 AM

Of course I could filter on the LAN interfaces. But I don't want to add filters on each of my VLANs to filter traffic which is arriving through a single tunnel interface. There must be a way how to set this up or a specific reason why it does not work...

Similar for "ip tcp mss-adjust": why would I put it on LAN interfaces instead on the interface which has the link which requires the setting? Moreover, other links have other mss-adjust settings. I cannot set multiple mss-adjust values on a single LAN interface unless I choose the lowest of all. But then I would use smaller values than necessary MSS values on some paths.

I think it is not possible to use "tunnel protection" with an ipsec profile. If I set this, it does no change anything and there won't be an IPSec SA. All Cisco examples I have found use it in conjunction with "tunnel mode ipsec" which creates a plain IPSec tunnel and not a GRE tunnel.

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to Gerald Vogt

‎02-22-2009 03:58 AM

Sometime, things in IOS do not work as supposed. You can fight for having TAC acknowledge that inbound ACL must work on the IOS you're using, or you can try a different IOS, or use a workaround. My suggestion was for the latter, for the sake of practicality.

With regard to mss-adjust, consider that to be effective, if must be on the interface that is input to the 'client', typically the LAN interface. If you have it on tunnel side toward 'client', you might not need it at all, test.

Wrt to the different ways of doing gre over ipsec, there are many options, I was referring to 'tunnel protection' feature.See:

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE_IPSec.html

0 Helpful

Gerald Vogt
Level 3
Level 3
In response to paolo bevilacqua

‎02-22-2009 05:28 AM

I would only submit a TAC if I knew it was a bug. I thought there would be a few people here who filter the traffic which passes through a GRE tunnel and could tell if it should work or not.

Cisco documentation suggests "ip tcp mss-adjust" affects inbound and outbound traffic.

The link you have posted only once really mentions "tunnel protection" but never uses it in any of the examples.

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to Gerald Vogt

‎02-22-2009 06:52 AM

Hi, yes inbout ACL should work.

I think I had tested that advertised TCP MSS is adjusted only for incoming packets on the interface where it's applied. You can verify by your own if you want. Note that on networks where mtu path discovery works, the command is not needed at all.

Here the reference for tunnel protection:

http://cisco.com/en/US/docs/ios/security/command/reference/sec_t2.html#wp1029882

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card