GRE on ASA 5510

Unanswered Question
Dec 25th, 2007

Hi Hi to all,

I am trying to create GRE tunnels over IPSec using ASA 5510. Before our company purchased the appliance, we were told that 5510 does supports GRE and configurations can be done to it to create the tunnel. I had been searching around the net for information on how to create the tunnels but so far, not much information had been gathered. Does anyone know about whether 5510 does indeed support GRE/IPSEC tunnels and any resources are available on how to configure them?

Thanks a lot in advance and Happy Holidays!!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Tue, 12/25/2007 - 09:28

Tan, PIX/ASA does support GRE but as a pass through, today I am not aware you can terminate GRE tunnel on PIX/ASA . The solution would probably be to terminate the tunnel on another cisco device other than the ASA but let GRE pass through, you could also consider L2L vpn.



tanziweigca Thu, 12/27/2007 - 04:55

Hello Jorge,

Thanks for the information.

So I presumed that ASA 5510 cannot support GRE exactly as a termination endpoint. Rather, it can only allow pass through, NOT creating/generating tunnels from the device directly?



JORGE RODRIGUEZ Thu, 12/27/2007 - 05:32

Tan that is correct, you cannot terminate a GRE tunnel neither in PIX nor in ASA.



fropert Tue, 01/01/2008 - 04:43


Jorge is right. ASA can't terminated a GRE tunnel.

Here's an example of configuration to make your ASA GRE tunnel passthrough in the case of you have an ISR router (or other...) which sits behind an ASA:

access-list outside_access_in line 13 extended permit gre

Replace with things more specific of your network if you are concerned with this issue.

Happy new year

tanziweigca Tue, 01/01/2008 - 18:08

Hello Fropert,

Thanks for the reply. I am still not sure on how to configure it and perhaps you can provide some insight to it.

3800 Router <---> ASA 5510 <---> DMZ server

The setup of the infrastructure is as above and IPSEC/GRE tunnel need to be established in order for the DMZ server to communicate with other machines on the Internet. I do not know how to configure the tunnel at all and I had all along presume that the ASA will be the termination point for the tunnel. Can you provide some insight on how to get the tunnel up and running with such a design?

Many thanks for your help and Happy New Year to you.


tanziweigca Thu, 01/03/2008 - 04:08


Thanks for all the reply so far. So far, trying to use ASA to initiate the tunnel DOES NOT work at all. Therefore, I think I will have to change the setup. Currently had changed to the followings.

ISP <--> Cisco 3800 router <--> ASA 5510 <--> Switch <--> Server

I think the portion on the switch and server should not be an issue at all. However, if I initiated the GRE tunnel from the 3800 router, will it flow through ASA 5510 to the server itself? I am still very blurred on this and some other areas and any help on the matter is greatly appreciated.



Rick Morris Fri, 01/04/2008 - 08:24

you might want to look into L2TP

This might do what you need. It can be built outside of the PIX and ASA. It can be a little tricky to understand but once you get it you will like it. We use it for high availabilty in our Email. We have 2 front end servers, one in our corporate office and one in our data center, no matter which server is being used we always have connectivity and it is done through the psuedowire in the L2TP config set-up, little more complex than the generic routing, GRE, but still might provide what you are looking for.


This Discussion