GRE traffic over PIX IPSEC VPN

Discussion in 'Cisco' started by Dimitri Petrovich, Jun 6, 2005.

  1. Hello,

    I am testing an IPSEC VPN site to site on PIX 515 6.3(4)

    Behind each PIX, I've got a router having all the routes to the inside
    networks.

    I need to have GRE traffic to get into the VPN. So, to achieve it, I've got
    the networks where the GRE traffic to come from in my no-nat access-list and
    for the ACL for VPN, I've got something like "access-list 4VPN permit ip any
    any.

    It looks the GRE traffic does not get through.

    Questions,

    1. GRE traffic, it has an IP header? is this a tcp data flow? or what?
    2. Can PIX manage to VPN GRE TRAFFIC or I need to specify permit gre any any
    in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?

    Thank you very much,

    Dima
    Dimitri Petrovich, Jun 6, 2005
    #1
    1. Advertising

  2. In article <>,
    Dimitri Petrovich <> wrote:
    :1. GRE traffic, it has an IP header?

    Yes. And your PIX 515 running 6.3(4) is only able to handle IP traffic.
    [You could update to PIX 7.0 if you needed to handle non-IP traffic.]

    :is this a tcp data flow? or what?

    It is not a tcp data flow, nor a udp data flow, nor icmp -- it is
    it's own protocol at the same level as tcp and udp.

    :2. Can PIX manage to VPN GRE TRAFFIC

    Yes, that should be possible.

    :eek:r I need to specify permit gre any any
    :in my ACL? Is GRE part of the generic "IP" statement in a PIX ACL for VPN?

    GRE is part of IP and would be included if you had permit ip

    Note: GRE has no "port" and therefore cannot be used with Port Address
    Translation (PAT).

    --
    "No one has the right to destroy another person's belief by
    demanding empirical evidence." -- Ann Landers
    Walter Roberson, Jun 6, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel
    Replies:
    8
    Views:
    21,761
  2. AM
    Replies:
    0
    Views:
    637
  3. AM
    Replies:
    1
    Views:
    541
  4. AM
    Replies:
    0
    Views:
    441
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    866
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page