Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-list in tunnel is not functional

Hi,

I have a VPN between sites, using IPSec on a GRE tunnel. On the 'secure side' of the tunnel I have an access list applied to the tunnel interface, however the access-list won't block traffic.

It's a very basic setup:

description Tunnel to xxx$FW_OUTSIDE$

ip address 10.172.32.18 255.255.255.252

ip access-group 125 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip inspect DEFAULT100 out

ip route-cache flow

tunnel source FastEthernet0/1

tunnel destination x.x.x.x

tunnel path-mtu-discovery

crypto map SDM_CMAP_1

Access-list 125 deny ip any any

Really, no traffic should be able to flow from the other side of this tunnel but this isn't the case - it allows anything and everything.

I have tried multiple IOS's with no avail. This is an 1841.

Any ideas?

thanks.

1 REPLY
New Member

Re: Access-list in tunnel is not functional

Funny, just noticed this am that I have comparable situation i.e. VPN between sites w/ IPSec on Gre tunnel with secure router configured to only allow selected traffic in via access-list in. When I display counters, the addresses/acl I would expect to see increment never do. I do not use CBAC/firewall - but do use QoS

I would like some ideas also. This is on a 2801/2821.

138
Views
0
Helpful
1
Replies
CreatePlease to create content