Have a question or want to start a discussion? Post it! No Registration Necessary. Now with pictures!
- Posted on
- GRE traffic over PIX IPSEC VPN
- Dimitri Petrovich
June 7, 2005, 12:55 am
rate this thread
I am testing an IPSEC VPN site to site on PIX 515 6.3(4)
Behind each PIX, I've got a router having all the routes to the inside
I need to have GRE traffic to get into the VPN. So, to achieve it, I've got
the networks where the GRE traffic to come from in my no-nat access-list and
for the ACL for VPN, I've got something like "access-list 4VPN permit ip any
It looks the GRE traffic does not get through.
1. GRE traffic, it has an IP header? is this a tcp data flow? or what?
2. Can PIX manage to VPN GRE TRAFFIC or I need to specify permit gre any any
in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?
Thank you very much,
Re: GRE traffic over PIX IPSEC VPN
:1. GRE traffic, it has an IP header?
Yes. And your PIX 515 running 6.3(4) is only able to handle IP traffic.
[You could update to PIX 7.0 if you needed to handle non-IP traffic.]
:is this a tcp data flow? or what?
It is not a tcp data flow, nor a udp data flow, nor icmp -- it is
it's own protocol at the same level as tcp and udp.
:2. Can PIX manage to VPN GRE TRAFFIC
Yes, that should be possible.
:or I need to specify permit gre any any
:in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?
GRE is part of IP and would be included if you had permit ip
Note: GRE has no "port" and therefore cannot be used with Port Address
"No one has the right to destroy another person's belief by
demanding empirical evidence." -- Ann Landers
- » Netgear FVS318 to FVS318 - no tunnel - take a look at my settings - what am I missing?
- — Next thread in » Virtual Private Networks
- » Static route through Netscreen Remote: can it be done?
- — Previous thread in » Virtual Private Networks
- » California: AT&T Temporarliy Tables Plans for Cell Sites [telecom]
- — The site's Newest Thread. Posted in » General Telecommunications Forum