04-03-2010 04:26 PM - edited 03-11-2019 10:28 AM
How is packet inspection affected (if at all) on an ASA, when the packet is encapsulated with GRE?
Thank you
Solved! Go to Solution.
04-04-2010 02:48 PM
Jeff
No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
04-03-2010 05:12 PM
There is no inspection for GRE on ASA. The GRE packet will just be passed through the ASA.
Hope that helps.
04-03-2010 08:20 PM
Are you talking about pptp inspection?
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656
When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic.
If you are talking about just GRE, it is IP protocol 47 and will be allowed if permitted via ACL just like any other traffic. There is no inspection specifically for it.
-KS
04-04-2010 09:44 AM
I am talking about just GRE. For example... If I tell the ASA that I don't want specified PTP protocols passing through, but there is ptp tunneled through http, the firewall will see that (hence application layer inspection), and will drop the packet.
So.. if I permit GRE, but block, say TFTP, will the firewall drop a packet that has a GRE encapsulated TFTP request?
04-04-2010 02:48 PM
Jeff
No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.
Jon
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.
04-04-2010 10:54 PM
Thanks for the response. Any chance this will change in the future? Seams pretty weak to me.
04-04-2010 10:57 PM
Don't think it will change in the near future. You might want to contact your Cisco account manager for the feature request.
04-04-2010 04:01 PM
Firewall will not block TFTP if you deny TFTP when it is encpsulated within the GRE packet. Anything within the GRE packet, the firewall will not know.
Jon has already cofirmed that for you.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: