Yes, the Cisco PIX firewall can serve as a GRE pass through device. The PIX cannot terminate or initiate any GRE traffic but with the proper tranlations and access allowed, GRE traffic will pass through the PIX. All models and software support allowing GRE (protocol 47) through the PIX. Hope this helps.
The Pix provides no stateful inspection for GRE. If you want a gre tunnel to pass through the Pix, you must open up protocol number 47 on the outside ACL.
If the traffic is an outbound PPTP tunnel, you can use the fixup for pptp which dynamically allows in the resulting GRE traffic without any ACL entries. This does not work for inbound PPTP tunnels to my knowledge.
L2TP as used by Window2k+ is really L2TP over IPSec. So in addition to TCP/1701, you'll also need to open UDP/500 and protocol 50. Win2k+ also supports NAT-T for L2TP/IPSec using UDP/4500 for all other traffic. In this case, you won't need protocol 50.
The pix does use GRE, although not directly. The Pix can terminate PPTP v1 tunnels which uses GRE as expected. The pix has no other support for terminating GRE tunnels at this time.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...