In article , Dimitri Petrovich wrote: :1. GRE traffic, it has an IP header?
Yes. And your PIX 515 running 6.3(4) is only able to handle IP traffic. [You could update to PIX 7.0 if you needed to handle non-IP traffic.]
:is this a tcp data flow? or what?
It is not a tcp data flow, nor a udp data flow, nor icmp -- it is it's own protocol at the same level as tcp and udp.
:2. Can PIX manage to VPN GRE TRAFFIC
Yes, that should be possible.
:or I need to specify permit gre any any :in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?
GRE is part of IP and would be included if you had permit ip
Note: GRE has no "port" and therefore cannot be used with Port Address Translation (PAT).