I need to do GRE thru a PIX. I looked at the following article: http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html. I see something here that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes: Can the PIX correctly encrypt/decrypt packets that are being sent to a private address that is being NATed to a public IP? How much will this complicate my crypto maps and access lists? What about having the internal router with one interface on the DMZ and one on the private network. Would that be easier?
I guess what has me confused here is that in the past (using IOS routers on both ends) I have first created a GRE tunnel using the public IPs of two routers then I setup and IPSec tunnel (in transport mode) that considers GRE packets between the two public IPs as interesting and therefore encrypts them. This scenario seems to be the sort of the opposite. The PIXes create and IPSec tunnel (in tunnel mode), then considers all traffic between the two private nets as interesting therefore all traffic between the two private nets, including GRE, gets encrypted. Is this correct? On a side note, can the PIX use IPSec in transport mode?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...