I need to design a VPN network around a PIX 515E hub site and IOS routers at the remote sites. In the past, I have designed VPN networks using only IOS routers. I like to use IPSec encrypted GRE tunnels so that I can run RIP over the VPN and also so that I can create default routes for Internet traffic via the GRE tunnel interfaces to route traffic thru centralized URL monitoring and filtering devices. I was told that the PIX does not support GRE. How can I do the above without GRE? What are my alternatives?
After looking at that article more closely I see something that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes can the PIX correctly encrypt packets that are being sent to a NATed address. At best, this would complicate the PIX config quite a bit. What about having the internal router with one interface on the DMZ and one on the private network. Wouldn't that be easier?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...