tunnel snmp traffic

cscyangyu · ‎06-29-2009

I have a router R0 , RO's f0/0 connects to a server 10.1.1.2 and R0 also use the F0/0 as a gre tunnel's source interface . this tunnel's destination is the R3's f0/0 . and 1 smtp server 192.168.1.3 connects to router R3. the server 10.1.1.2 need to connect to the server 192.168.1.3's TCP port 25. and i put a acl on R0's f0/0

int f0/0

ip access-group snmp in

ip access-list extended snmp

permit tcp host 10.1.1.2 host 192.168.1.3 eq 25

there is no other ACL between this 2 servers.

but the server 10.1.1.2 still can not access server 192.168.1.3 by using tcp port 25.

since the tunnel 0 also use f0/0 as source interface , i guess maybe i need to add one more line for ACL snmp

permit tcp host 192.168.1.3 eq 25 host 10.1.1.2.

Please help me for this issue. if my guess is wrong , what is the right sloution .

Giuseppe Larosa · ‎06-29-2009

Hello Yang,

you are right

the ACL should be written has:

permit tcp host 192.168.1.3 eq 25 host 10.1.1.2

I would test this with the following:

just remove the ACL you have applied on the tunnel interface.

Test it without any ACL.

In these conditions can server 10.1.1.2 connect to 192.168.1.3?

Try with the modified ACL and see the behaviour.

your original ACL should match with traffic sent out the tunnel if R0 sees tunnel0 as the outgoing interface to reach 192.168.1.3

Hope to help

Giuseppe

cscyangyu · ‎06-30-2009

I can not test it since i need to submit change request before i change ACL.