cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5065
Views
5
Helpful
7
Replies

GRE inspection

drehobljs
Level 1
Level 1

How is packet inspection affected (if at all) on an ASA, when the packet is encapsulated with GRE?

Thank you

1 Accepted Solution

Accepted Solutions

Jeff

No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

There is no inspection for GRE on ASA. The GRE packet will just be passed through the ASA.

Hope that helps.

Are you talking about pptp inspection?

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic.

If you are talking about just GRE, it is IP protocol 47 and will be allowed if permitted via ACL just like any other traffic. There is no inspection specifically for it.

-KS

I am talking about just GRE.  For example... If I tell the ASA that I don't want specified PTP protocols passing through, but there is ptp tunneled through http, the firewall will see that (hence application layer inspection), and will drop the packet.

So.. if I permit GRE, but block, say TFTP, will the firewall drop a packet that has a GRE encapsulated TFTP request?

Jeff

No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

Thanks for the response.  Any chance this will change in the future?  Seams pretty weak to me.

Don't think it will change in the near future. You might want to contact your Cisco account manager for the feature request.

Firewall will not block TFTP if you deny TFTP when it is encpsulated within the GRE packet.  Anything within the GRE packet, the firewall will not know.

Jon has already cofirmed that for you.

-KS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: