GRE inspection

Answered Question
Apr 3rd, 2010

How is packet inspection affected (if at all) on an ASA, when the packet is encapsulated with GRE?

Thank you

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 7 months ago

Jeff

No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Sat, 04/03/2010 - 17:12

There is no inspection for GRE on ASA. The GRE packet will just be passed through the ASA.

Hope that helps.

Kureli Sankar Sat, 04/03/2010 - 20:20

Are you talking about pptp inspection?

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic.

If you are talking about just GRE, it is IP protocol 47 and will be allowed if permitted via ACL just like any other traffic. There is no inspection specifically for it.

-KS

drehobljs Sun, 04/04/2010 - 09:44

I am talking about just GRE.  For example... If I tell the ASA that I don't want specified PTP protocols passing through, but there is ptp tunneled through http, the firewall will see that (hence application layer inspection), and will drop the packet.

So.. if I permit GRE, but block, say TFTP, will the firewall drop a packet that has a GRE encapsulated TFTP request?

Correct Answer
Jon Marshall Sun, 04/04/2010 - 14:48

Jeff

No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

drehobljs Sun, 04/04/2010 - 22:54

Thanks for the response.  Any chance this will change in the future?  Seams pretty weak to me.

Jennifer Halim Sun, 04/04/2010 - 22:57

Don't think it will change in the near future. You might want to contact your Cisco account manager for the feature request.

Kureli Sankar Sun, 04/04/2010 - 16:01

Firewall will not block TFTP if you deny TFTP when it is encpsulated within the GRE packet.  Anything within the GRE packet, the firewall will not know.

Jon has already cofirmed that for you.

-KS

Actions

This Discussion