Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5643
Views
0
Helpful
7
Replies

GRE/IPSEC VPN: Inbound ACL on Tunnel interface

MicronasSS
Level 1
Level 1

‎02-08-2006 10:53 AM - edited ‎02-21-2020 02:14 PM

Hi,

I use GREinIPSec VPNs to connect office LANs to our headquater. Now I need to restrict the traffic from one of the offices and I have to do the restriction on the headquater router.

I thought the easiest way to do this is to create an ACL and put it on the Tunnel interface (ip access-group xxx in).

I tried that but the ACL didn't block anything, even it was an "deny ip any any" ACL.

What's my mistake?

Labels:
0 Helpful
7 Replies 7

spremkumar
Level 9
Level 9

‎02-09-2006 02:39 AM

hi

I fell if you can elaborate the kinda topology you have in place out there with a small schematic diagram as well as what you exactly want to do with the setup.

if you want your remote locations to talk only to the central location then you can have a static route for the central locations network pointing via the gre tunnel.

regds

0 Helpful

MicronasSS
Level 1
Level 1

‎02-09-2006 07:06 AM

Here is a little picture about what I want to do.

Preview file
17 KB
0 Helpful

attrgautam
Level 5
Level 5
In response to MicronasSS

‎02-09-2006 07:33 AM

Access-list did not help you say. Just to Clarify, Are you doing GRE over IPSec or IPSec over GRE ? What is the Crypto ACL ?

0 Helpful

MicronasSS
Level 1
Level 1
In response to attrgautam

‎02-10-2006 12:32 AM

Correct, the ACLs do not work, even I did this:

access-list 125 deny ip any any

interface Tunnel 1

ip access-group 125 in

I secure my GRE Tunnel using IPSec (GRE over IPSec).

My Crypto ACL is:

access-list 131 permit gre host host

0 Helpful

attrgautam
Level 5
Level 5
In response to MicronasSS

‎02-10-2006 02:48 AM

1) Can you enable logging on the ACL and see if the traffic is actually hitting the ACL and if so what traffic is ( use logging with permit ip any any)

2) If it doesnt work u can apply the ACL on the LAN facing interface to block.

If you can show the sample config, it may be helpful

0 Helpful

MicronasSS
Level 1
Level 1
In response to attrgautam

‎02-13-2006 07:23 AM

Since the ACL on the tunnel interface doesn't seems to catch packets I use now an ACL on the internal interface.

Now everything works.

Thank you all for the help.

0 Helpful

kndrkim01
Level 1
Level 1

‎07-15-2016 11:57 AM

Studying CCNA Security, going through IPSec tutorials now.  Yes, I know the original post is old, but someone may find this in a search like I did.

Crypto ACL outbound designates "interesting traffic" or what will be encrypted.  Non designated / denied traffic DOES NOT BLOCK traffic, it simply says what to send out non-encrypted.

Normal outbound ACL is what you will want to use to actually block "deny ip any any"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents