Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CSS 11501 and GRE


I have a 3550-48 EMI switch sitting behind a CSS and I need to establish a GRE tunnel to another switch on the other side of the CSS. In the end configuration it will not be possible to bypass the CSS to establish the tunnel.

I have successfully established the GRE tunnel between the two switches around the CSS in my lab environment, so I know the basic configuration is correct.

I have a feeling that the problem lies in the layer-3 translation at the CSS (since GRE uses a different protocol ID than IP).

Cisco Employee

Re: CSS 11501 and GRE

I did the test in the lab and it works for me unless

I try to NAT the ip address of the devices.

Are you trying to NAT as well ?

If you try to NAT, the box needs to create FCB and for that it only supports TCP/UDP traffic.


New Member

Re: CSS 11501 and GRE

I actually have been attempting to NAT. Unfortunately, in my configuration the systems on the "unauthorized" side of the CSS don't know about the internal address of the 3550.

Can you send me the configuration you used in your lab?

We currently use the same technique using a PIX as the edge device and it works fine (and I know that the CSS performs a different type of service and is not a firewall by nature).

Cisco Employee

Re: CSS 11501 and GRE

there is no need of a specific config.

As long as the traffic does not hit a content rule or a group, it will simply be forwarded and therefore it works [but no NAT].