×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

GRE tunnel through asa no pptp, l2tp, ipsec

Unanswered Question
Jul 5th, 2013
User Badges:

Hello!

can't understand how to configure GRE tunnel through ASA

i have one router with public ip, connected to internet

ASA 8.4 with public ip connected to internet

router with private ip behind ASA.

have only one public ip on ASA with /30 mask

have no crypto

have network behind ASA and PAT for internet users.


can't nat GRE? cause only TCP/UDP nated(?)


with packet-tracer i see flow already created but tunnel doesn't work

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Fri, 07/05/2013 - 11:43
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

You don't need any NAT if you can route your traffic. Just make sure that the outside router has a route to the private IP of the inside router and the inside router has a route to the public IP of the outside router. Then allow GRE in the ACLs of the ASA for these IPs.


Sent from Cisco Technical Support iPad App

GrimnirMsk_2 Fri, 07/05/2013 - 12:09
User Badges:

think internet providers won't want to route traffic to my inside router private ip.

even i write route thru internet to my inside router private ip

scheme

R1(public) - internet - (public) ASA (private) - (private) R2

Karsten Iwen Fri, 07/05/2013 - 12:24
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

oh, I thought your public router is directly in front of your ASA. there you wouldn't need any NAT.

With the router being remote, you can do a 1:1 NAT on the ASA for the internal IP.


Sent from Cisco Technical Support iPad App

GrimnirMsk_2 Sat, 07/06/2013 - 01:22
User Badges:

have only one public ip on ASA with /30 mask

have network behind ASA and PAT for internet users.

Karsten Iwen Sat, 07/06/2013 - 04:33
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

A "clean" way would be to use a protocol that can be PATted. That could be GRE over IPSec. With that you have the additional benefit that your communication is protected through the internet.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Actions

This Discussion