Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

GRE alternatives for PIX

I need to design a VPN network around a PIX 515E hub site and IOS routers at the remote sites. In the past, I have designed VPN networks using only IOS routers. I like to use IPSec encrypted GRE tunnels so that I can run RIP over the VPN and also so that I can create default routes for Internet traffic via the GRE tunnel interfaces to route traffic thru centralized URL monitoring and filtering devices. I was told that the PIX does not support GRE. How can I do the above without GRE? What are my alternatives?

Thanks,

Diego

  • Other Security Subjects
3 REPLIES
New Member

Re: GRE alternatives for PIX

Diego,

The pix just doesn't support termination of GRE tunnels. However, you can terminate your GRE tunnels on a router inside of your pix.

ie. router-------pix---------Internet-------------router

gre---------------------------------------------gre (from router to router)

----------------> ipsec-----------------------------ipsec (from pix to router)

The ipsec tunnel on the pix uses the gre traffic as the interesting traffic.

Here's a doc that shows you how to do it:

http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html#diagram

HTH

Jeff

New Member

Re: GRE alternatives for PIX

Looks like that might work.

Thanks!

Diego

New Member

Re: GRE alternatives for PIX

Jeff:

After looking at that article more closely I see something that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes can the PIX correctly encrypt packets that are being sent to a NATed address. At best, this would complicate the PIX config quite a bit. What about having the internal router with one interface on the DMZ and one on the private network. Wouldn't that be easier?

Thanks,

Diego

104
Views
4
Helpful
3
Replies
This widget could not be displayed.