Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Access-list in tunnel is not functional


I have a VPN between sites, using IPSec on a GRE tunnel. On the 'secure side' of the tunnel I have an access list applied to the tunnel interface, however the access-list won't block traffic.

It's a very basic setup:

description Tunnel to xxx$FW_OUTSIDE$

ip address

ip access-group 125 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1420

ip inspect DEFAULT100 out

ip route-cache flow

tunnel source FastEthernet0/1

tunnel destination x.x.x.x

tunnel path-mtu-discovery

crypto map SDM_CMAP_1

Access-list 125 deny ip any any

Really, no traffic should be able to flow from the other side of this tunnel but this isn't the case - it allows anything and everything.

I have tried multiple IOS's with no avail. This is an 1841.

Any ideas?


New Member

Re: Access-list in tunnel is not functional

Funny, just noticed this am that I have comparable situation i.e. VPN between sites w/ IPSec on Gre tunnel with secure router configured to only allow selected traffic in via access-list in. When I display counters, the addresses/acl I would expect to see increment never do. I do not use CBAC/firewall - but do use QoS

I would like some ideas also. This is on a 2801/2821.

CreatePlease to create content