Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

GRE tunnel through asa no pptp, l2tp, ipsec

Hello!

can't understand how to configure GRE tunnel through ASA

i have one router with public ip, connected to internet

ASA 8.4 with public ip connected to internet

router with private ip behind ASA.

have only one public ip on ASA with /30 mask

have no crypto

have network behind ASA and PAT for internet users.

can't nat GRE? cause only TCP/UDP nated(?)

with packet-tracer i see flow already created but tunnel doesn't work

Everyone's tags (3)
5 REPLIES
VIP Purple

Re: GRE tunnel through asa no pptp, l2tp, ipsec

You don't need any NAT if you can route your traffic. Just make sure that the outside router has a route to the private IP of the inside router and the inside router has a route to the public IP of the outside router. Then allow GRE in the ACLs of the ASA for these IPs.


Sent from Cisco Technical Support iPad App

Community Member

GRE tunnel through asa no pptp, l2tp, ipsec

think internet providers won't want to route traffic to my inside router private ip.

even i write route thru internet to my inside router private ip

scheme

R1(public) - internet - (public) ASA (private) - (private) R2

VIP Purple

Re: GRE tunnel through asa no pptp, l2tp, ipsec

oh, I thought your public router is directly in front of your ASA. there you wouldn't need any NAT.

With the router being remote, you can do a 1:1 NAT on the ASA for the internal IP.


Sent from Cisco Technical Support iPad App

Community Member

GRE tunnel through asa no pptp, l2tp, ipsec

have only one public ip on ASA with /30 mask

have network behind ASA and PAT for internet users.

VIP Purple

GRE tunnel through asa no pptp, l2tp, ipsec

A "clean" way would be to use a protocol that can be PATted. That could be GRE over IPSec. With that you have the additional benefit that your communication is protected through the internet.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

1374
Views
0
Helpful
5
Replies
CreatePlease to create content