GRE Tunnel configuration

Lavanholy · ‎01-07-2008

Hi,

I have to configure the GRE tunnel between Site A and Site B.

1. Site A route is connected to a Cisco PIX525 and the PIX 525 inturn connected to Internet.

2. This router serial interface is connected to Site B router through a 512 KB leased line.

3.Site B router also connected to Cisco PIX 525 firewall and the firewall is connected to Internet.

4. Both sites users are accessing internet through router and through PIX 525.

5. Both side networks are accessible through the routers using a static route.

My requirement is if the leased line between the sites are down,then the traffic between the sites has to be directed through PIX525 through internet as a redundant.

My assumption is as follows:

1. I will configure IPsec site to site between Cisco PIX 525 firewall.

2. I will configure another static route with the higher metric than the previous route that is between the serial interfaces of the routers.

3. My firewall is PIX 525 with 6.13 ios version.

4. My router is Cisco 1750

5. Help to configure the GRE tunnel and IP route .

Thanks and Regards,

royalblues · ‎01-07-2008

You cannot configure a GRE tunnel on a PIX or ASA.

Configure a site-site ipsec tunnel between the pix and allow the subnets in the crypto access-list for communication

Have a look at this link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

HTH

Narayan

williamsdo · ‎01-07-2008

Hi, you will have to configure a VPN tunnel if you require ipsec. GRE tunnel are useful if you require routing through your tunnel because they will transmit multicast packets use to maintain routing tables. Have a look at the document below it contain a configuration for VPN tunnel on pix firewall. HTH

http://www.cisco.com/warp/public/110/38.html

Collin Clark · ‎01-07-2008

As others said, the *best* way of doing this is to use VPN between your PIX firewalls. You'll also want to upgrade your firewall OS and upgrade to the 3DES license (free). Also using two static routes will not work. A static route will never disappear from the routing table so the other route will never "take over". You will need to run a routing protocol internally then set your static route for the VPN a little higher than the IGP AD.

HTH

Lavanholy · ‎01-11-2008

Hi Mr.Ceclark,

Thanks for the guidance.

I will have IP sec VPN tunnel between two sites firewall.

My LAN router is connected to other site router by means of a leased line.It has static IP route with lower metric.

Now I will have another static route inthe same router with higher metric.

Will it work?

Please guide me.

Thanks and Regards,

S.Venkataraman.

Collin Clark · ‎01-14-2008

It will NOT work. Remember that static routes are always in the routing table. The lower metric route will never disappear and the other route will never be used!

Danilo Dy · ‎01-11-2008

Hi,

Site-A

Router-A>FW-A>Internet

Site-B

Router-B>FW-B>Internet

Between Site-A and Site-B

Router-A|LeasedLine|Router-B

Is the internet facing subnet of firewall is bigger? I'm thinking of triangular connection between router, firewall, and provider router. This way, you can run IP GRE over IPSec VPN in the router.

Regards,

Dandy