Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
1
Replies

Access-list in tunnel is not functional

nhaits
Level 1
Level 1

‎03-18-2006 05:25 PM

Hi,

I have a VPN between sites, using IPSec on a GRE tunnel. On the 'secure side' of the tunnel I have an access list applied to the tunnel interface, however the access-list won't block traffic.

It's a very basic setup:

description Tunnel to xxx$FW_OUTSIDE$

ip address 10.172.32.18 255.255.255.252

ip access-group 125 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip inspect DEFAULT100 out

ip route-cache flow

tunnel source FastEthernet0/1

tunnel destination x.x.x.x

tunnel path-mtu-discovery

crypto map SDM_CMAP_1

Access-list 125 deny ip any any

Really, no traffic should be able to flow from the other side of this tunnel but this isn't the case - it allows anything and everything.

I have tried multiple IOS's with no avail. This is an 1841.

Any ideas?

thanks.

Labels:
0 Helpful
1 Reply 1

tluidens
Level 1
Level 1

‎04-18-2006 06:35 AM

Funny, just noticed this am that I have comparable situation i.e. VPN between sites w/ IPSec on Gre tunnel with secure router configured to only allow selected traffic in via access-list in. When I display counters, the addresses/acl I would expect to see increment never do. I do not use CBAC/firewall - but do use QoS

I would like some ideas also. This is on a 2801/2821.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents