Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1290
Views
0
Helpful
4
Replies

GRE Tunnel over IPsec - Design

saquib.tandel
Level 1
Level 1

‎07-13-2010 04:49 AM - edited ‎03-04-2019 09:02 AM

Hi

Earlier implementation for GRE was without ASA in front.

what is the recomended config for GRE Tunnel over IPSEC with ASA in front of VPN_RTR.

(( Internet))-----------Internet_RTR---------------ASA-------------------Core_Sw-----------------------LAN

                                                                                                         ||

                                                                                                         ||

                                                                                                         ||

                                                                                                 VPN_RTR (Vlan 9)

Thanks

ST

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎07-13-2010 07:42 AM

ST

The way that you have drawn the network having the ASA in front of the VPN router does not changes the design. The ASA does not support GRE tunnels so the GRE tunnels with IPSec will still terminate on the VPN router. The GRE tunnel will pass through the ASA so the ASA will need to have some permit rules that allow the GRE/IPSec traffic to pass through (and it means that the ASA will not be able to inspect the traffic carried through the GRE tunnels). There is an alternative design which would put the VPN router in front of the ASA. This would allow the GRE/IPSec to operate as it has been and would allow the ASA to inspect the traffic after it is de-encapsulated and de-encrypted.

Without knowing more about your network and its requirements, it is difficult to determine which approach would be better.

HTH

Rick

HTH

Rick
0 Helpful

saquib.tandel
Level 1
Level 1
In response to Richard Burts

‎07-13-2010 11:07 PM

Hi Rick,

Nice to hear from u again

I didnt find in the cisco documentation for the scenario you said

"There is an alternative design which would put the VPN router in front  of the ASA."

We got one Internet pipe of 10MB and to make the design and troubleshooting simple ; suggested idea was to have one route to Internet.

( all traffic passes the firewall ; in/out )

Earlier we had Two legs to the internet, one for VPN and another for hosting/Browsing.

Putting the correct design is the concern with acceptable security.

Thanks

ST

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to saquib.tandel

‎07-14-2010 04:34 AM

ST

I have seen implementations which have separate connections to the Internet for VPN and for browsing and I have seen implementations where all traffic uses a single connection to the Internet. So you have changed from one approach to the other. Sometimes that kind of change is made for economic reasons (reduce cost by paying for only a single connection) and sometimes it is made to exert a different control over traffic. It is not clear why you made the change but it suggests that you may have made the change to be better able to examine and secure your Internet traffic.

So there are 2 designs to consider. In one design (as you currently have it) the router processing GRE/IPSec is behind the ASA and in the other design the router processing GRE/IPSec is in front of the ASA. In the first design the ASA connects directly to the Internet and in the second design the ASA connects to the GRE/IPSec router which connects to the Internet.

It is not possible to say abstractly that one design is better than the other. The choice of best design depends on what you are trying to accomplish. And only someone familiar with your network and your requirements can make that judgement.

In the design that you show the ASA must allow the GRE/IPSec traffic to pass through but is not able to examine the user traffic contained in the GRE/IPSec packets. In the other design where the GRE/IPSec router is in front of the ASA then the user traffic will be unencrypted by the time it gets to the ASA and the ASA will be able to examine the user traffic.

I have a customer who uses your design where the GRE/IPSec router is behind the firewall. Their judgement is that they treat the VPN users just like they treat users who are inside the corporate network (if the internal users does not have to pass through a firewall they do not require the remote user to pass through the firewall). I have another customer who uses the other design in which the GRE/IPSec router is in front of the firewall. They position is that they want the firewall to examine "all" traffic coming in from the Internet.

So what is the position of your organization? Is it important for the ASA to examine "all" traffic coming in from the Internet or should the remote users have unrestricted access to your network? Once you answer that question then you will determine which design is better for your organization.

HTH

Rick

HTH

Rick
0 Helpful

saquib.tandel
Level 1
Level 1
In response to Richard Burts

‎07-14-2010 04:49 AM

Hi Rick,

Thansk for great explanation. Its helpful.

With Gre/IPSEC Router before the ASA (Scenario) support routing protocol ( ospf,Eigrp )

Possible to share the Doc link for sample config of GRE/IPSEC router and needed config on ASA ( GRE/IPSEC router before the ASA scenario )

Thanks again

ST

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card