cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
526
Views
0
Helpful
5
Replies

GRE IPSec hub router in front of a PIX

wares
Level 1
Level 1

I have a question. If I have a few (4) small remote offices, and want to use GRE tunnels over IPSec VPN's, back to the main office 2651 router...how does that work as far as having my PIX behind the 2651.

The 2651 will have the Internet T1 coming into it, and the PIX's outside address will have a public IP. Do I just create access-lists on the router to forward the remote office subnets to the pix, and/or acl's on the PIX to allow the remote office traffic?

Sorry if this is a stupid ?. Thanks!

5 Replies 5

awaheed
Cisco Employee
Cisco Employee

Hi Wares,

So if I understand you correctly, you have the following topology:

|--inside networks--PIX--2651--(INTERNET)

And all your GRE tunnels will be terminated on the 2651 router. Int his case your PIX will only get the IP packets after they come out of the GRE emcapsulation. hence the PIX should only be allowed for the IP packets to the inside network. As for the IPSec/GRE termination, the 2651 can handle it as the hub without much problems (note: PIX doesn't support GRE termination)

Some resources to look at:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009486e.shtml

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080093f70.shtml

Hope this helps,

Regards,

Aamir

-=-=-

Thanks, awaheed, for the reply! So, then as far as the IP packets from the remote offices heading onto the PIX, would I just setup static routes in the 2651 to forward them onto the PIX?

Like:

Remote office subnet: 192.168.6.0/24

PIX outside interface: 66.100.100.2

ip route 192.168.6.0 255.255.255.0 66.100.100.2

And then just apply the normal ACL's in the PIX for the traffic that I want to permit?

awaheed
Cisco Employee
Cisco Employee

Yeah you would be adding the Static route's on the PIX to return those packets back to the 2651, just make sure that the Syntax of that points to the 2651 inside interface as the next hop, not the PIX outside

So, it would be:

route 192.168.6.0 255.255.255.0 <2651 inside intf>

as per:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1027614

hope this helps,

Regards,

Aamir

-=-=-

So would I use a syntax like:

route outside 192.168.x.0 255.255.255.0 66.100.100.3 where 66.100.100.3 the 2651 inside interface address.

Is it possible to have more than one route outside command as long as it is not a default route?

Thanks for all your help!

awaheed
Cisco Employee
Cisco Employee

Hi Wares,

Absolutely, you can use as many route outside's as long as they are not the default routes. Additionally being on the PIX this should work for you, let m eknow if it fix's the issue.

Regards,

Aamir

-=-=-

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: