GRE/IPSEC VPN: Inbound ACL on Tunnel interface

Unanswered Question
Feb 8th, 2006
User Badges:


I use GREinIPSec VPNs to connect office LANs to our headquater. Now I need to restrict the traffic from one of the offices and I have to do the restriction on the headquater router.

I thought the easiest way to do this is to create an ACL and put it on the Tunnel interface (ip access-group xxx in).

I tried that but the ACL didn't block anything, even it was an "deny ip any any" ACL.

What's my mistake?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Thu, 02/09/2006 - 02:39
User Badges:
  • Red, 2250 points or more


I fell if you can elaborate the kinda topology you have in place out there with a small schematic diagram as well as what you exactly want to do with the setup.

if you want your remote locations to talk only to the central location then you can have a static route for the central locations network pointing via the gre tunnel.


attrgautam Thu, 02/09/2006 - 07:33
User Badges:
  • Silver, 250 points or more

Access-list did not help you say. Just to Clarify, Are you doing GRE over IPSec or IPSec over GRE ? What is the Crypto ACL ?

MicronasSS Fri, 02/10/2006 - 00:32
User Badges:

Correct, the ACLs do not work, even I did this:

access-list 125 deny ip any any

interface Tunnel 1

ip access-group 125 in

I secure my GRE Tunnel using IPSec (GRE over IPSec).

My Crypto ACL is:

access-list 131 permit gre host host

attrgautam Fri, 02/10/2006 - 02:48
User Badges:
  • Silver, 250 points or more

1) Can you enable logging on the ACL and see if the traffic is actually hitting the ACL and if so what traffic is ( use logging with permit ip any any)

2) If it doesnt work u can apply the ACL on the LAN facing interface to block.

If you can show the sample config, it may be helpful

MicronasSS Mon, 02/13/2006 - 07:23
User Badges:

Since the ACL on the tunnel interface doesn't seems to catch packets I use now an ACL on the internal interface.

Now everything works.

Thank you all for the help.

kndrkim01 Fri, 07/15/2016 - 11:57
User Badges:

Studying CCNA Security, going through IPSec tutorials now.  Yes, I know the original post is old, but someone may find this in a search like I did.

Crypto ACL outbound designates "interesting traffic" or what will be encrypted.  Non designated / denied traffic DOES NOT BLOCK traffic, it simply says what to send out non-encrypted.

Normal outbound ACL is what you will want to use to actually block "deny ip any any"


This Discussion