cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4347
Views
5
Helpful
5
Replies
Aaron Street
Beginner

ASA VTI interfaces and access rules

Hi, 

 

Can you add Access Rules to A VTI interface in ASA 9.8? 

 

I see the tunnel interface showing as up in the ASDM, and I can ping the end points from the CLI, but when I chose "Add access rule" in the ASDM  the list of interfaces does not include my tunnel? 

 

Aaron 

5 REPLIES 5
Bogdan Nita
Rising star

You should be able to add an ACL to the VTI interface.

You could try applying the ACL via CLI:

access-group ACL-VTI-IN in interface VTI

 

"• Access list can be applied on a VTI interface to control traffic through VTI."
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf

Great hint, much appreciated! This works for me. After aplying access-group to VTI Interface via CLI and refreshing the ASDM the access-list is also displayed in the GUI and can be modified as usual. But the Interface is still not available if you want to add an new entry - you still need the CLI.

 

Cheers

Katrin

MArc, you can use the ACL manager to add rules to the Accees list once it is applied to the interface. rather than use the CLI

Hi, 

 

I did add an ACL to the interface via the CLI, but I still can't add rules to the ACL via the access rule GUI interface? I assume this is a limitation of VTI interfaces. 

 

Seems the ASDM does not recognize VTI interfaces in this way

 

did you create your access-group?

first you want to make sure to create your ACL first, then create the access-group

creating access-group before the ACL will not work. it is part of the cisco mechanics.

there is no limitations for the VTI in terms of ACL,

 

try this:  

access-list nameif-VTI_in deny ip any any

access-group nameif-VTI_in in interface VTI-Interface