ASA SW ver8.0 doesn't allow to create GRE NOnat access list

Unanswered Question
Sep 20th, 2007
User Badges:

I've upgrade to ASA8.0 SW and now can't create GRE tunnel from inside VPN Rtr to other branch inside Rtr.

Scheme: RTR===ASA80-----{Internet}-----ASA80===RTR

Attempt to write NONAT and CRYPTO access-lists with GRE conditions is posible: That's OK!

But applying of cmd:

#nat (inside) 0 access-list NONAT

result in "ERROR: access-list has protocol or port" msg.

I attempted to downgrade to 7.x SW

but ERROR msg are repeated.

How I can create GRE-IPSEC tunnel between two branch routers over ASA-to-ASA crypto tunnel?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
umedryk Wed, 09/26/2007 - 13:43
User Badges:
  • Bronze, 100 points or more

Generic routing encapsulation (GRE) tunneling is a more appropriate choice. In this example, the Cisco 2621 and 3660 routers are the IPsec tunnel endpoints that join two private networks, with conduits or access control lists (ACLs) on the PIX in between in order to allow the IPsec traffic. For configuration refer to

korolenko Wed, 09/26/2007 - 22:42
User Badges:

I use GRE-NHRP-IPSEC tunnels between routers in some branches and Head office by the scheme of DMVPN (dynamic point-to-multipoint VPN accross IPSec crypto).

But I need empower a security accross Internet with ASA5510 for center and 5505 for branches.

Connection scheme of ASA devices point-to multipoint too.

And I upgraded ASA SW image to Ver 8.0.2 for EIGRP support etc.

But unfortunately this SW ver is faulty and don't allow use point-to-multipoint Site-to-Site connections.

Now I DOWNgraded ASA images from Ver 8.0.2 to Ver 7.2.2 (default) and ALL IS WORKING FINE!!!!


This Discussion