Can you add Access Rules to A VTI interface in ASA 9.8?
I see the tunnel interface showing as up in the ASDM, and I can ping the end points from the CLI, but when I chose "Add access rule" in the ASDM the list of interfaces does not include my tunnel?
You should be able to add an ACL to the VTI interface.
You could try applying the ACL via CLI:
access-group ACL-VTI-IN in interface VTI
"• Access list can be applied on a VTI interface to control traffic through VTI."
Great hint, much appreciated! This works for me. After aplying access-group to VTI Interface via CLI and refreshing the ASDM the access-list is also displayed in the GUI and can be modified as usual. But the Interface is still not available if you want to add an new entry - you still need the CLI.
I did add an ACL to the interface via the CLI, but I still can't add rules to the ACL via the access rule GUI interface? I assume this is a limitation of VTI interfaces.
Seems the ASDM does not recognize VTI interfaces in this way
did you create your access-group?
first you want to make sure to create your ACL first, then create the access-group
creating access-group before the ACL will not work. it is part of the cisco mechanics.
there is no limitations for the VTI in terms of ACL,
access-list nameif-VTI_in deny ip any any
access-group nameif-VTI_in in interface VTI-Interface