Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot apply access-list to Ipsec Tunnel

I need to apply a filter to deny ftp and http over Ipsec Tunnel.

Can you show me correct configuration because my config doesn't work.


access-list acl_out permit icmp any any

access-list 100 permit ip

access-list 110 deny tcp eq ftp-data

access-list 110 deny tcp eq ftp

access-list 110 deny tcp eq www

access-list 110 permit ip

ip address inside

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map toCastel 10 ipsec-isakmp

crypto map toCastel 10 match address 110

crypto map toCastel 10 set peer x.x.x.202

crypto map toCastel 10 set transform-set myset

crypto map toCastel interface outside

isakmp enable outside

isakmp key npsgeo address x.x.x.202 netmask

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 1000


Re: Cannot apply access-list to Ipsec Tunnel


The way I have set this up in the past and the way I have had the most success is this. I set my nonat and my match address to the same access-list (access-list 100). I would then apply the 110 access list to the inside interface.

It makes things much more simple to allow full IP over the tunnel, but only allow certian ports (ftp, www etc..) to even get to the tunnel from the inside interface.

Hope that helps.