Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

GRE/IPSEC VPN: Inbound ACL on Tunnel interface

Hi,

I use GREinIPSec VPNs to connect office LANs to our headquater. Now I need to restrict the traffic from one of the offices and I have to do the restriction on the headquater router.

I thought the easiest way to do this is to create an ACL and put it on the Tunnel interface (ip access-group xxx in).

I tried that but the ACL didn't block anything, even it was an "deny ip any any" ACL.

What's my mistake?

7 REPLIES

Re: GRE/IPSEC VPN: Inbound ACL on Tunnel interface

hi

I fell if you can elaborate the kinda topology you have in place out there with a small schematic diagram as well as what you exactly want to do with the setup.

if you want your remote locations to talk only to the central location then you can have a static route for the central locations network pointing via the gre tunnel.

regds

Community Member

Re: GRE/IPSEC VPN: Inbound ACL on Tunnel interface

Here is a little picture about what I want to do.

Silver

Re: GRE/IPSEC VPN: Inbound ACL on Tunnel interface

Access-list did not help you say. Just to Clarify, Are you doing GRE over IPSec or IPSec over GRE ? What is the Crypto ACL ?

Community Member

Re: GRE/IPSEC VPN: Inbound ACL on Tunnel interface

Correct, the ACLs do not work, even I did this:

access-list 125 deny ip any any

interface Tunnel 1

ip access-group 125 in

I secure my GRE Tunnel using IPSec (GRE over IPSec).

My Crypto ACL is:

access-list 131 permit gre host host

Silver

Re: GRE/IPSEC VPN: Inbound ACL on Tunnel interface

1) Can you enable logging on the ACL and see if the traffic is actually hitting the ACL and if so what traffic is ( use logging with permit ip any any)

2) If it doesnt work u can apply the ACL on the LAN facing interface to block.

If you can show the sample config, it may be helpful

Community Member

Re: GRE/IPSEC VPN: Inbound ACL on Tunnel interface

Since the ACL on the tunnel interface doesn't seems to catch packets I use now an ACL on the internal interface.

Now everything works.

Thank you all for the help.

Community Member

Studying CCNA Security, going

Studying CCNA Security, going through IPSec tutorials now.  Yes, I know the original post is old, but someone may find this in a search like I did.

Crypto ACL outbound designates "interesting traffic" or what will be encrypted.  Non designated / denied traffic DOES NOT BLOCK traffic, it simply says what to send out non-encrypted.

Normal outbound ACL is what you will want to use to actually block "deny ip any any"

2875
Views
0
Helpful
7
Replies
CreatePlease to create content