I need to do GRE thru a PIX. I looked at the following article: http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html. I see something here that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes: Can the PIX correctly encrypt/decrypt packets that are being sent to a private address that is being NATed to a public IP? How much will this complicate my crypto maps and access lists? What about having the internal router with one interface on the DMZ and one on the private network. Would that be easier?