GRE over VPN thru pix

Unanswered Question
Jul 8th, 2007

Hi all,

I am trying to make a GRE tunnel thru a existing VPN tunnel, but the endpoint has a (old) pix as perimeter device so that can't be the GRE termination point (OS upgrade not possible) the VPN does terminate at the pix but now I want the 2 2600 routers to make the GRE tunnel thru the vpn since both 2600 support GRE, but I am a bit confused about the configuration with this setup, maybe you guys have an idea...?

Thanks in advance.

P.S. Check the attatchment for the topology.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Mon, 07/09/2007 - 01:41


This shouldn't be a problem. You will need to ensure that the tunnel source and tunnel destination IP's are included in the crypto map access-lists on both ends of the VPN and that you allow GRE (port 47) through your pix to get to the 2600 router.

Is there anything in particular that is confusing ?


Super-Node-G Mon, 07/09/2007 - 09:29

well, the thing that confuses me is this:

When configuring GRE over VPN the normal way with 2 2600 perimeter routers as GRE and VPN termination point the config would look like this:

interface Tunnel1

ip address

tunnel source FastEthernet0/0

tunnel destination "public ip address"

crypto map VPN

other side will be a mirror of this config

But in this case the other side is behind a pix, so do I just need to configure a simple tunnel like below, where instead of the public ip of the pix, I put the private ip address of the 2600 behind the pix as tunnel destination and put the and in the crypto map access-list already created for the already made vpn tunnel...?

interface Tunnel2

ip address

tunnel source FastEthernet0/0

tunnel destination "private ip address of 2600"

I am a bit confused about how the config looks like on both sides, since the 2600 behind the pix doesn't handle the vpn but it does handle the GRE tunnel.

P.S. I never worked with GRE before, so please excuse me if my questions seem stupid.

jpaulhamus Mon, 07/09/2007 - 16:05

Creating a static to the 2600 (outside interface) from the PIX, is what you will need to do. As the inside of the 2600 would be on the same network as the inside of the PIX, and the PIX only has 2 interfaces, trunk the PIX to a switch and use subinterfaces for the inside.1 and inside.2 addresses creating "tunnel-DMZ". Create the static from the PIX to the outside interface on the router, thus giving you a publicly accessible address to create the tunnel to. Have a look at the attachment, this would be the rouer behind the pix. The far side is a bit different as you have NAT on that router, you'll need a route-map in your nat statement.

jpaulhamus Mon, 07/09/2007 - 16:15

I should have mentioned first, instead of having the PIX terminate the VPN, let the 2600 router behind it terminate the VPN.

Super-Node-G Mon, 07/09/2007 - 18:51

Thanks for the config jpaulhamus. Only will this still be possible if the pix remains the vpn termination point..? Thats the part that confuses me =P

Thanks in advance.


This Discussion