GRE tunnel over IPSEC

Unanswered Question
Jul 11th, 2007

Hi all,

The scenario is:

I try to establish connection to the remote network by terminating GRE tunnel in my internal router, Cisco 6000 and terminate IPSec in my pix firewall (Fig. 2). How can I direct my workstation to go through GRE Tunnel and redirect the traffic to my pix to enclose GRE traffic in IPSEC tunnel? But I want also to keep the way they connect to the Internet as normally. The requirements are that I should do NAT in my (Cisco 6006) before I redirect the traffic to the pix firewall. In my normal scenario all data traffic are send to pix firewall than pix dose Nat before send the traffic to the Internet (Fig. 1), but in this case I have to do Nat in my Cisco 6000 before send them trough GRE tunnel than to my pix firewall. Please refer to the attached file for network diagram. And I apologize for my poor English and I appreciate for any help.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Ahmede Thu, 07/12/2007 - 05:32

For the traffic to be sent via the GRE, use a static route on the 6006 and the next hop is the GRE remote IP address. Same on the internal router.

For the IPSec, use the doamin to be the GRE source and destination address.


Edison Ortiz Thu, 07/12/2007 - 06:22

The configuration at the 6006 device will remain the same as far as routing. The PIX remains the default route.

At the PIX, you need to add a route for the remote network with next hop being the remote link of the GRE. You need to do the same at the other end. Your 'route inside' at the PIX will point to the NAT address in the 6006 device and you will have two 'route outside'. One 'route outside' will be for the remote network and the second one will be the default route (route outside x.x.x.x)



This Discussion