Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GRE inspection

How is packet inspection affected (if at all) on an ASA, when the packet is encapsulated with GRE?

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: GRE inspection

Jeff

No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

7 REPLIES
Cisco Employee

Re: GRE inspection

There is no inspection for GRE on ASA. The GRE packet will just be passed through the ASA.

Hope that helps.

Cisco Employee

Re: GRE inspection

Are you talking about pptp inspection?

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656

When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic.

If you are talking about just GRE, it is IP protocol 47 and will be allowed if permitted via ACL just like any other traffic. There is no inspection specifically for it.

-KS

New Member

Re: GRE inspection

I am talking about just GRE.  For example... If I tell the ASA that I don't want specified PTP protocols passing through, but there is ptp tunneled through http, the firewall will see that (hence application layer inspection), and will drop the packet.

So.. if I permit GRE, but block, say TFTP, will the firewall drop a packet that has a GRE encapsulated TFTP request?

Hall of Fame Super Blue

Re: GRE inspection

Jeff

No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

New Member

Re: GRE inspection

Thanks for the response.  Any chance this will change in the future?  Seams pretty weak to me.

Cisco Employee

Re: GRE inspection

Don't think it will change in the near future. You might want to contact your Cisco account manager for the feature request.

Cisco Employee

Re: GRE inspection

Firewall will not block TFTP if you deny TFTP when it is encpsulated within the GRE packet.  Anything within the GRE packet, the firewall will not know.

Jon has already cofirmed that for you.

-KS

2514
Views
5
Helpful
7
Replies
CreatePlease login to create content