Access List needed only to allow Site-to-Site tunnel

Unanswered Question
May 14th, 2009
User Badges:

Hi guys,

I need to lock down the outside interface on an 871 router which is currently having a L2L tunnel with a remote router. I need to apply an ACL to the outside interface of this 871 and to allow ONLY the remote router to communicate with my 871 for the purpose of the tunnel. Everything else will be blocked.

Can you tell me what are the exact protocols and port numbers that I need to allow?

It is an IPsec tunnel embedded on a GRE tunnel. The IP address of the remote router is


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 05/15/2009 - 07:00
User Badges:
  • Purple, 4500 points or more

GRE packets are encapsulated within IP will use IP protocol type 47.

access-list 187 permit gre host host (871 public IP)

Hope that helps.

insccisco Mon, 05/18/2009 - 05:40
User Badges:

Will this be the only thing I'd need? I have a customer that has the following access-lists applied to the outside interface:

access-list 120 permit gre host host

access-list 120 permit udp host host eq isakmp

access-list 120 permit esp host host

access-list 120 permit udp host host eq non500-isakmp

I always see hits on access lists "eq isakmp" and on "eq non-500-isakmp"...

So wouldn't this mean that I will need these access lists as well?

Collin Clark Tue, 05/19/2009 - 05:18
User Badges:
  • Purple, 4500 points or more

If you had a GRE tunnel and encrypting the packets inside of it, no. Sounds like you're not doing that though and will need isakmp and esp opened up.

insccisco Thu, 05/21/2009 - 08:38
User Badges:

I see. Then why is it that I see a lot of hits on the other access lists?

That was also my understanding that on a GRE tunnel, the GRE thing happens first and all traffic is encrypted, thus no need to allow/open anything else except the GRE stuff on the outside access list

Collin Clark Thu, 05/21/2009 - 10:28
User Badges:
  • Purple, 4500 points or more

You are correct, that's why I'm thinking that maybe the GRE is running inside an IPSec tunnel. Can you post a config?

srue Thu, 05/21/2009 - 10:37
User Badges:
  • Blue, 1500 points or more

are you asking for the crypto ACL or the interface ACL?

insccisco Thu, 05/21/2009 - 13:19
User Badges:

here's the config. How do you tell which one is happening first?

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 6 DZY`gTaKIA^EKE[PYKghPS^QaOaDRHWO_AAB address no-xauth



crypto ipsec transform-set myset esp-3des esp-md5-hmac


crypto map mymap 20 ipsec-isakmp

set peer

set transform-set myset

match address gre_tunnel

interface Tunnel1

ip address

ip mtu 1400

tunnel source

tunnel destination

tunnel mode ipip

interface FastEthernet4

ip address

ip access-group 120 in

ip virtual-reassembly

duplex auto

speed auto

crypto map mymap

interface Vlan2

ip address

router eigrp 1

passive-interface Vlan2



no auto-summary

ip access-list extended gre_tunnel

permit ip host host

Collin Clark Thu, 05/21/2009 - 13:41
User Badges:
  • Purple, 4500 points or more

Where is your GRE ACL?

Should look something like this-

access-list 120 permit gre host host

Also, the tunnel source is a private IP and the tunnel destination is a public IP. Shouldn't it be public-to-public? Does a show interface Tunnel1 show traffic passing? I assume that a show crypto isa sa shows a connection?

insccisco Thu, 05/21/2009 - 13:47
User Badges:

the tunnel source being a private is no problem. actually that was done by Cisco taz, I guess the public one was not working...

well, based on the config I sent, what is happening first? is gre inside ipsec or vice-versa?

insccisco Fri, 05/22/2009 - 06:00
User Badges:

Hey, once again, based on the config I sent, is GRE running inside an IPSec tunnel or is IPSec running inside GRE?


This Discussion