https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3296797#M1010348 MArc, you can use the ACL manager to add rules to the Accees list once it is applied to the interface. rather than use the CLI Fri, 15 Dec 2017 12:01:03 GMT Aaron Street 2017-12-15T12:01:03Z https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3230746#M1010341 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>Can you add Access Rules to A VTI interface in ASA 9.8?&nbsp;</P> <P>&nbsp;</P> <P>I see the tunnel interface showing as up in the ASDM, and I can ping the end points from the CLI, but when I chose "Add access rule" in the ASDM&nbsp; the list of interfaces does not include my tunnel?&nbsp;</P> <P>&nbsp;</P> <P>Aaron&nbsp;</P> Fri, 21 Feb 2020 14:56:34 GMT https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3230746#M1010341 Aaron Street 2020-02-21T14:56:34Z https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3230887#M1010344 <P>You should be able to add an ACL to the VTI interface.</P> <P>You could try applying the&nbsp;ACL via CLI:</P> <P>access-group ACL-VTI-IN in interface VTI</P> <P>&nbsp;</P> <P>"• Access list can be applied on a VTI interface to control traffic through VTI."<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf</A></P> Tue, 12 Dec 2017 15:14:49 GMT https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3230887#M1010344 Bogdan Nita 2017-12-12T15:14:49Z https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3296726#M1010346 <P>Great hint, much appreciated! This works for me. After aplying&nbsp;access-group to&nbsp;VTI Interface&nbsp;via CLI and refreshing the ASDM the access-list is also displayed in the GUI and can be modified as usual. But the Interface is still not available if you want to add an new entry - you still need the CLI.</P> <P>&nbsp;</P> <P>Cheers</P> <P>Katrin</P> Fri, 15 Dec 2017 10:21:16 GMT https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3296726#M1010346 MarcBrechbuehl 2017-12-15T10:21:16Z https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3296795#M1010347 <P>Hi,&nbsp;</P> <P>&nbsp;</P> <P>I did add an ACL to the interface via the CLI, but I still can't add rules to the ACL via the access rule GUI interface? I assume this is a limitation of VTI interfaces.&nbsp;</P> <P>&nbsp;</P> <P>Seems the ASDM does not recognize VTI interfaces in this way</P> <P>&nbsp;</P> Fri, 15 Dec 2017 11:59:44 GMT https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3296795#M1010347 Aaron Street 2017-12-15T11:59:44Z https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3296797#M1010348 MArc, you can use the ACL manager to add rules to the Accees list once it is applied to the interface. rather than use the CLI Fri, 15 Dec 2017 12:01:03 GMT https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3296797#M1010348 Aaron Street 2017-12-15T12:01:03Z https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3999045#M1010349 <P>did you create your access-group?</P><P>first you want to make sure to create your ACL first, then create the access-group</P><P>creating access-group before the ACL will not work. it is part of the cisco mechanics.</P><P>there is no limitations for the VTI in terms of ACL,</P><P>&nbsp;</P><P>try this: &nbsp;</P><P>access-list <STRONG>nameif-VTI_in</STRONG> deny ip any any</P><P>access-group <STRONG>nameif-VTI_in</STRONG> in interface <STRONG>VTI-Interface</STRONG></P> Sun, 15 Dec 2019 08:57:50 GMT https://community.cisco.com/t5/network-security/asa-vti-interfaces-and-access-rules/m-p/3999045#M1010349 john.colet@intact.net 2019-12-15T08:57:50Z