GRE traffic over PIX IPSEC VPN

- D
- Dimitri Petrovich
  
  Contact options for registered users
posted
18 years ago

Mon, Jun 6, 2005 3:55 PM

Hello,

I am testing an IPSEC VPN site to site on PIX 515 6.3(4)

Behind each PIX, I've got a router having all the routes to the inside networks.

I need to have GRE traffic to get into the VPN. So, to achieve it, I've got the networks where the GRE traffic to come from in my no-nat access-list and for the ACL for VPN, I've got something like "access-list 4VPN permit ip any any.

It looks the GRE traffic does not get through.

Questions,

GRE traffic, it has an IP header? is this a tcp data flow? or what?
Can PIX manage to VPN GRE TRAFFIC or I need to specify permit gre any any in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?

Thank you very much,

Dima

Loading thread data ...

- W
- Walter Roberson
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Jun 6, 2005 4:27 PM

In article , Dimitri Petrovich wrote: :1. GRE traffic, it has an IP header?

Yes. And your PIX 515 running 6.3(4) is only able to handle IP traffic. [You could update to PIX 7.0 if you needed to handle non-IP traffic.]

:is this a tcp data flow? or what?

It is not a tcp data flow, nor a udp data flow, nor icmp -- it is it's own protocol at the same level as tcp and udp.

:2. Can PIX manage to VPN GRE TRAFFIC

Yes, that should be possible.

:or I need to specify permit gre any any :in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?

GRE is part of IP and would be included if you had permit ip

Note: GRE has no "port" and therefore cannot be used with Port Address Translation (PAT).

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.