GRE on ASA 5510

tanziweigca · ‎12-25-2007

Hi Hi to all,

I am trying to create GRE tunnels over IPSec using ASA 5510. Before our company purchased the appliance, we were told that 5510 does supports GRE and configurations can be done to it to create the tunnel. I had been searching around the net for information on how to create the tunnels but so far, not much information had been gathered. Does anyone know about whether 5510 does indeed support GRE/IPSEC tunnels and any resources are available on how to configure them?

Thanks a lot in advance and Happy Holidays!!

Tan

JORGE RODRIGUEZ · ‎12-25-2007

Tan, PIX/ASA does support GRE but as a pass through, today I am not aware you can terminate GRE tunnel on PIX/ASA . The solution would probably be to terminate the tunnel on another cisco device other than the ASA but let GRE pass through, you could also consider L2L vpn.

Rgds

Jorge

Jorge Rodriguez

tanziweigca · ‎12-27-2007

Hello Jorge,

Thanks for the information.

So I presumed that ASA 5510 cannot support GRE exactly as a termination endpoint. Rather, it can only allow pass through, NOT creating/generating tunnels from the device directly?

Thanks,

Tan

JORGE RODRIGUEZ · ‎12-27-2007

Tan that is correct, you cannot terminate a GRE tunnel neither in PIX nor in ASA.

Rgds

Jorge

Jorge Rodriguez

fropert · ‎01-01-2008

Hello,

Jorge is right. ASA can't terminated a GRE tunnel.

Here's an example of configuration to make your ASA GRE tunnel passthrough in the case of you have an ISR router (or other...) which sits behind an ASA:

access-list outside_access_in line 13 extended permit gre 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Replace 0.0.0.0 with things more specific of your network if you are concerned with this issue.

Happy new year

tanziweigca · ‎01-01-2008

Hello Fropert,

Thanks for the reply. I am still not sure on how to configure it and perhaps you can provide some insight to it.

3800 Router <---> ASA 5510 <---> DMZ server

The setup of the infrastructure is as above and IPSEC/GRE tunnel need to be established in order for the DMZ server to communicate with other machines on the Internet. I do not know how to configure the tunnel at all and I had all along presume that the ASA will be the termination point for the tunnel. Can you provide some insight on how to get the tunnel up and running with such a design?

Many thanks for your help and Happy New Year to you.

Tan

royalblues · ‎01-02-2008

You can configure site to site IPSEC VPN between the security devices and ensure that the server traffic is part of the interesting traffic that initiates the tunnel

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

HTH

Narayan

tanziweigca · ‎01-03-2008

Hi,

Thanks for all the reply so far. So far, trying to use ASA to initiate the tunnel DOES NOT work at all. Therefore, I think I will have to change the setup. Currently had changed to the followings.

ISP <--> Cisco 3800 router <--> ASA 5510 <--> Switch <--> Server

I think the portion on the switch and server should not be an issue at all. However, if I initiated the GRE tunnel from the 3800 router, will it flow through ASA 5510 to the server itself? I am still very blurred on this and some other areas and any help on the matter is greatly appreciated.

Thanks,

Tan

Rick Morris · ‎01-04-2008

you might want to look into L2TP

This might do what you need. It can be built outside of the PIX and ASA. It can be a little tricky to understand but once you get it you will like it. We use it for high availabilty in our Email. We have 2 front end servers, one in our corporate office and one in our data center, no matter which server is being used we always have connectivity and it is done through the psuedowire in the L2TP config set-up, little more complex than the generic routing, GRE, but still might provide what you are looking for.