Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

GRE Tunneling via PIX Firewall

Hi Sir,

Need to confirm whether Cisco PIX Firewall is GRE Pass through ?

If yes, what model of PIX Firewall and PIX image version I need to use ?

As I understand from RFC 1071 & 1072, the IP Protocol type is 47.

Need your help as soon as possible.

Thanks,

Raymond Hew

7 REPLIES

Re: GRE Tunneling via PIX Firewall

Hi,

Yes, the Cisco PIX firewall can serve as a GRE pass through device. The PIX cannot terminate or initiate any GRE traffic but with the proper tranlations and access allowed, GRE traffic will pass through the PIX. All models and software support allowing GRE (protocol 47) through the PIX. Hope this helps.

Scott

New Member

Re: GRE Tunneling via PIX Firewall

Hi Scott,

How about the L2TP tunnel over PIX firewall ? I assume it should also pass through without any problem.

What ip protocol type is L2TP used ?

In my customer scenario, there are going to put two PIX firewalls in between the routers soon, at the moment I have enabled them with GRE without firewall in between.

Thanks in advance,

Raymond Hew.

New Member

Re: GRE Tunneling via PIX Firewall

If you are looking at passing IPSEC or PPTP through, you just need to let the PIX know what to do with these protocols through the fixup protocol command. Example:

Ipsec:

fixup protocol esp-ike

or PPTP:

fixup protocol 1723

Hope this helps.

New Member

Re: GRE Tunneling via PIX Firewall

Hi JHaggett,

How about if we are going to use GRE tunnel (as per RFC 1701 & RFC 1702) and L2TP tunnel (as per RFC 2662) ?

What is the fixup protocol command ?

Thanks in advance,

Raymond Hew.

New Member

Re: GRE Tunneling via PIX Firewall

I think it's dependent on PPTP... I would just add the fixup protocol pptp 1723 and see what happens :)

New Member

Re: GRE Tunneling via PIX Firewall

I think I see what you mean, I went through the same problem, try this...

access-list OUTGOING permit gre any any

Dominic

Silver

Re: GRE Tunneling via PIX Firewall

The Pix provides no stateful inspection for GRE. If you want a gre tunnel to pass through the Pix, you must open up protocol number 47 on the outside ACL.

If the traffic is an outbound PPTP tunnel, you can use the fixup for pptp which dynamically allows in the resulting GRE traffic without any ACL entries. This does not work for inbound PPTP tunnels to my knowledge.

L2TP as used by Window2k+ is really L2TP over IPSec. So in addition to TCP/1701, you'll also need to open UDP/500 and protocol 50. Win2k+ also supports NAT-T for L2TP/IPSec using UDP/4500 for all other traffic. In this case, you won't need protocol 50.

The pix does use GRE, although not directly. The Pix can terminate PPTP v1 tunnels which uses GRE as expected. The pix has no other support for terminating GRE tunnels at this time.

844
Views
0
Helpful
7
Replies