12-12-2017 04:16 AM - edited 02-21-2020 06:56 AM
Hi,
Can you add Access Rules to A VTI interface in ASA 9.8?
I see the tunnel interface showing as up in the ASDM, and I can ping the end points from the CLI, but when I chose "Add access rule" in the ASDM the list of interfaces does not include my tunnel?
Aaron
12-12-2017 07:14 AM
You should be able to add an ACL to the VTI interface.
You could try applying the ACL via CLI:
access-group ACL-VTI-IN in interface VTI
"• Access list can be applied on a VTI interface to control traffic through VTI."
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.pdf
12-15-2017 02:21 AM
Great hint, much appreciated! This works for me. After aplying access-group to VTI Interface via CLI and refreshing the ASDM the access-list is also displayed in the GUI and can be modified as usual. But the Interface is still not available if you want to add an new entry - you still need the CLI.
Cheers
Katrin
12-15-2017 04:01 AM
12-15-2017 03:59 AM
Hi,
I did add an ACL to the interface via the CLI, but I still can't add rules to the ACL via the access rule GUI interface? I assume this is a limitation of VTI interfaces.
Seems the ASDM does not recognize VTI interfaces in this way
12-15-2019 12:57 AM
did you create your access-group?
first you want to make sure to create your ACL first, then create the access-group
creating access-group before the ACL will not work. it is part of the cisco mechanics.
there is no limitations for the VTI in terms of ACL,
try this:
access-list nameif-VTI_in deny ip any any
access-group nameif-VTI_in in interface VTI-Interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide