Question : Access Lists on IPSEC VTIs (Cisco IOS)


I have converted some Crypto maps on Cisco IOS to to use Tunnel interfaces. Unfortunately, I have found that traffic is not obeying the "ip access-group xxx in" command on the tunnel interface. Everything just bypasses the list. With crypto maps, I'd add this using "set ip access-group xxx in"  on the map entry.

Is there somewhere else I ought to be putting the access list?

This is IOS 12.4
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:

interface Tunnel2
 ip unnumbered Vlan1
 ip access-group 135 in
 tunnel source x.x.x.x
 tunnel destination y.y.y.y
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUNNEL_PROFILE
 
Extended IP access list 135
    10 permit tcp any any established
    20 permit icmp any any echo-reply
    30 deny ip any any log
Open in New Window
Select All

Answer : Access Lists on IPSEC VTIs (Cisco IOS)

Aha, found it. I hope this helps someone else:

It looks like it affects all Cisco IOS Devices running 12.4 up until the very latest releases. It seems that when I first noticed this issue, there was not yet a fix out.
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:

CSCsx45923 Bug Details
 
VTI ACL on tunnel interface is bypassed
Symptoms: On a router that has a Virtual Tunnel Interface (VTI) IPSEC
configuration, an access control list (ACL) may be bypassed when there is an
ACL on the tunnel interface. This happens only in the case where the physical
interface (facing the IPSec peer) also has a ACL. 
 
Conditions: This symptom is observed when there is a ACL configured on the 
physical interface (facing the IPSec peer).
 
Workaround: Apply the ACL on the protected LAN interface in the outbound
direction instead of on the tunnel interface.
Open in New Window
Select All
Random Solutions  
 
programming4us programming4us