GRE traffic over PIX IPSEC VPN

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View


Hello,

I am testing an IPSEC VPN site to site on PIX 515 6.3(4)

Behind each PIX, I've got a router having all the routes to the inside
networks.

I need to have GRE traffic to get into the VPN. So, to achieve it, I've got
the networks where the GRE traffic to come from in my no-nat access-list and
for the ACL for VPN, I've got something like "access-list 4VPN permit ip any
any.

It looks the GRE traffic does not get through.

Questions,

1. GRE traffic, it has an IP header? is this a tcp data flow? or what?
2. Can PIX manage to VPN GRE TRAFFIC or I need to specify permit gre any any
in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?

Thank you very much,

Dima





Re: GRE traffic over PIX IPSEC VPN


:1. GRE traffic, it has an IP header?

Yes. And your PIX 515 running 6.3(4) is only able to handle IP traffic.
[You could update to PIX 7.0 if you needed to handle non-IP traffic.]

:is this a tcp data flow? or what?

It is not a tcp data flow, nor a udp data flow, nor icmp -- it is
it's own protocol at the same level as tcp and udp.

:2. Can PIX manage to VPN GRE TRAFFIC

Yes, that should be possible.

:or I need to specify permit gre any any
:in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?

GRE is part of IP and would be included if you had  permit ip

Note: GRE has no "port" and therefore cannot be used with Port Address
Translation (PAT).

--
   "No one has the right to destroy another person's belief by
   demanding empirical evidence."            -- Ann Landers


Site Timeline