Re: CSS 11501 and GRE

wiwells · ‎01-08-2004

Greetings:

I have a 3550-48 EMI switch sitting behind a CSS and I need to establish a GRE tunnel to another switch on the other side of the CSS. In the end configuration it will not be possible to bypass the CSS to establish the tunnel.

I have successfully established the GRE tunnel between the two switches around the CSS in my lab environment, so I know the basic configuration is correct.

I have a feeling that the problem lies in the layer-3 translation at the CSS (since GRE uses a different protocol ID than IP).

Gilles Dufour · ‎01-09-2004

I did the test in the lab and it works for me unless

I try to NAT the ip address of the devices.

Are you trying to NAT as well ?

If you try to NAT, the box needs to create FCB and for that it only supports TCP/UDP traffic.

Gilles.

wiwells · ‎01-12-2004

I actually have been attempting to NAT. Unfortunately, in my configuration the systems on the "unauthorized" side of the CSS don't know about the internal address of the 3550.

Can you send me the configuration you used in your lab?

We currently use the same technique using a PIX as the edge device and it works fine (and I know that the CSS performs a different type of service and is not a firewall by nature).

Gilles Dufour · ‎01-13-2004

there is no need of a specific config.

As long as the traffic does not hit a content rule or a group, it will simply be forwarded and therefore it works [but no NAT].

Gilles.