01-08-2004 10:09 AM
Greetings:
I have a 3550-48 EMI switch sitting behind a CSS and I need to establish a GRE tunnel to another switch on the other side of the CSS. In the end configuration it will not be possible to bypass the CSS to establish the tunnel.
I have successfully established the GRE tunnel between the two switches around the CSS in my lab environment, so I know the basic configuration is correct.
I have a feeling that the problem lies in the layer-3 translation at the CSS (since GRE uses a different protocol ID than IP).
01-09-2004 01:51 AM
I did the test in the lab and it works for me unless
I try to NAT the ip address of the devices.
Are you trying to NAT as well ?
If you try to NAT, the box needs to create FCB and for that it only supports TCP/UDP traffic.
Gilles.
01-12-2004 12:19 PM
I actually have been attempting to NAT. Unfortunately, in my configuration the systems on the "unauthorized" side of the CSS don't know about the internal address of the 3550.
Can you send me the configuration you used in your lab?
We currently use the same technique using a PIX as the edge device and it works fine (and I know that the CSS performs a different type of service and is not a firewall by nature).
01-13-2004 04:46 AM
there is no need of a specific config.
As long as the traffic does not hit a content rule or a group, it will simply be forwarded and therefore it works [but no NAT].
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide