cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6003
Views
0
Helpful
7
Replies

GRE/IPSEC VPN: Inbound ACL on Tunnel interface

MicronasSS
Level 1
Level 1

Hi,

I use GREinIPSec VPNs to connect office LANs to our headquater. Now I need to restrict the traffic from one of the offices and I have to do the restriction on the headquater router.

I thought the easiest way to do this is to create an ACL and put it on the Tunnel interface (ip access-group xxx in).

I tried that but the ACL didn't block anything, even it was an "deny ip any any" ACL.

What's my mistake?

7 Replies 7

spremkumar
Level 9
Level 9

hi

I fell if you can elaborate the kinda topology you have in place out there with a small schematic diagram as well as what you exactly want to do with the setup.

if you want your remote locations to talk only to the central location then you can have a static route for the central locations network pointing via the gre tunnel.

regds

MicronasSS
Level 1
Level 1

Here is a little picture about what I want to do.

Access-list did not help you say. Just to Clarify, Are you doing GRE over IPSec or IPSec over GRE ? What is the Crypto ACL ?

Correct, the ACLs do not work, even I did this:

access-list 125 deny ip any any

interface Tunnel 1

ip access-group 125 in

I secure my GRE Tunnel using IPSec (GRE over IPSec).

My Crypto ACL is:

access-list 131 permit gre host host

1) Can you enable logging on the ACL and see if the traffic is actually hitting the ACL and if so what traffic is ( use logging with permit ip any any)

2) If it doesnt work u can apply the ACL on the LAN facing interface to block.

If you can show the sample config, it may be helpful

Since the ACL on the tunnel interface doesn't seems to catch packets I use now an ACL on the internal interface.

Now everything works.

Thank you all for the help.

kndrkim01
Level 1
Level 1

Studying CCNA Security, going through IPSec tutorials now.  Yes, I know the original post is old, but someone may find this in a search like I did.

Crypto ACL outbound designates "interesting traffic" or what will be encrypted.  Non designated / denied traffic DOES NOT BLOCK traffic, it simply says what to send out non-encrypted.

Normal outbound ACL is what you will want to use to actually block "deny ip any any"