Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
890
Views
0
Helpful
1
Replies

DMVPN and inbound access-list

mohammed.ibrahim
Level 1
Level 1

‎09-26-2004 08:08 PM - edited ‎02-21-2020 01:21 PM

I was testing a DMVPN scenario with CBAC and inbound access-list. The inbound access-list is applied on the outside physical interface. I found that I had to allow gre traffic on the outside access-list for the DMVPN to work properly.

I am aware that Routers check input access-list twice once before decryption and once after decryption.

But in DMVPN the tunnel 0 terminates the ipsec connection and not the outside interface. There is no reason I have to allow gre on the outside interface. Yet I had to. Has any one else run into the same issue

In Pix you have sysopt connection permit-ipsec to suppress this behaviour (access-list checked twice) for vpn traffic. Do we have something equivalent in IOS.

Labels:
0 Helpful
1 Reply 1

ehirsel
Level 6
Level 6

‎09-29-2004 05:27 AM

Please post the relvant parts of your config here.

Usually the tunnel 0 terminates the GRE, but not IPSec; Is the crypto map is applied to tunnel 0?

I believe that as far as IOS is concerned, inbound means not only inbound as far as the line is concerned (traffic on the phy interface) but it also means inbound as in inbound to the queue from any source, even a logical interface or a tunnel in the router itself.

I'll review the config and let you know what I find.

0 Helpful
Customers Also Viewed These Support Documents