Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1930
Views
0
Helpful
6
Replies

Tunnel interface ignoring inbound access-list

johan.westberg
Community Member

‎01-25-2006 07:24 AM

Hi,

I have a 7301 with IOS 12.4 with multipe IPSec/GRE tunnels. My problem is that the inbound access-list (TUNNEL) on the tunnel inteface is ignored completely. Bug ?

Config:

nterface Tunnel0

description IPSEC tunnel to MCTZH

ip address 192.168.223.1 255.255.255.252

ip access-group TUNNEL in

ip tcp adjust-mss 1400

tunnel source GigabitEthernet0/1

tunnel destination 212.72.7.6

crypto map proposal4

brgds Johan

Labels:
0 Helpful
6 Replies 6

pengfang
Level 4
Level 4

‎01-26-2006 12:01 AM

I guess this case supposed to be GRE over IPSec,not IPsec over GRE.So interteresting traffic sould be defined like this:

permit gre x.x.x.x y.y.y.y

and crypto map applied to physical interface.

0 Helpful

johan.westberg
Community Member
In response to pengfang

‎01-26-2006 01:10 AM

Hi,

The GRE/IPSec traffic if flowing just fine, that's not the problem. My issue is that I need to control the traffic inside the tunnel. For instance I would like only to allow smtp and www to come through.

This works fine on other IOS version on other routers but not this brand new 7301. An earlier case (CSCeb47225 )showing the same symptoms has been known in previous releases.

Brgsd Johan Westberg

0 Helpful

lwlaettner
Community Member
In response to johan.westberg

‎01-26-2006 03:03 PM

Speaking with experience with the PIX firewall I know that if the following commmand:

sysopt connection permit-ipsec

is enabled on a PIX then it will ignore the inbound access list if the data is coming through the tunnel. I don't know if routers have this command.

0 Helpful

Not applicable
In response to lwlaettner

‎01-31-2006 05:40 AM

0 Helpful

hramdien
Community Member
In response to

‎01-31-2006 12:05 PM

I got the same problems on 2811 and 1712 routers.

A workaround is, to make a service policy input on the tunnel.

It's a bit of a hassle, but it works fine.

I don't know if cisco wants to solve this issue.

The config would be :

acces-l 100 permit tcp any any eq smtp

class-map match-any xyz

match access-group 100

policy-map Tunnel1_Policy

class xyz

int tunnel1

service-policy input Tunnel1_Policy

0 Helpful

dbroomfield
Community Member
In response to hramdien

‎07-14-2006 02:44 AM

In IOS 12.4 Cisco changed the way IPSec tunnels work.

Before you had to put the access list on the interface to restrict what packets came through.

Now you add an access list directly to the crypto map policy.

crypto map mymap 1 ipsec-isakmp

set peer x.x.x.x

set ip access-group 100 <-- Crypto security ACL

set transform-set ESP-AES-SHA

match address 100

0 Helpful
Customers Also Viewed These Support Documents