cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
538
Views
0
Helpful
8
Replies

Terminate IPSec at PIX outside and pass GRE through it?

nleachman
Level 1
Level 1

Hi all,

I am new to the PIX, and my VPN experience has been between routers or concentrators so far, so please bear with me.

Currently I am running an IPSec/GRE tunnel from a remote router, through a hub PIX, and terminating both the GRE and IPSec tunnels on an "inside" router.

Due to some network design changes, I need to instead terminate IPSec at the PIX outside interface - and just pass the GRE tunnel through the PIX inside interface to the inside router.

I have no problem bringing up the IPSec tunnel between the remote router and the PIX outside interface - and passing traffic through it. But when I add the tunnel (GRE) interfaces to the routers - along with the routes - I can no longer get any traffic to pass.

One of the things I don't understand here is what the PIX ACL should look like. I am being told two different answers:

One version is to simply leave the IPSEc only ACL "access-list nonat permit ip [local network] [remote network]" in place. {Ok, but how does this permit the GRE packets destined for the inside router to pass across the inside interface?}

The second answer I have been told is to change that to "permit gre host[tunnel src] host[tunnel dest].

Are either of these correct for the PIX?

My thinking was that the GRE traffic would enter the IPSec tunnel on the remote router, come across the Internet, the IPSec encapsulation would be removed on the PIX, and then the remaining GRE packet would need to be permitted to access the higher security inside interface.

What is the proper solution here please?

I am also confused as to where the next hop is for tunnel destination traffic (going to host 10.2.0.2) from the remote router. I need to make that traffic not flow across the gre tunnel to prevent recursive probs - or the Interent. I am assuming that I need to "push" it into the IPSec tunnel; but not into the GRE tunnel - is that correct? If so, exactly how does one accomplish that?

I am attaching the partial configs as they sit now. The pix is v6.3(1), the routers are running 12.2 inside and 12.3 outside. This is still on the bench so the hardware/IOS can change if needed.

Sorry to be so long winded; but I have reached the point of thrashing on this.

Thank you in advance for any guidance here!

Nick

8 Replies 8

4dmcintyre
Level 1
Level 1

Check your pix config verify that you have a 'nat (inside) 0 access-list nonat' present.

I quickly reviewed the pix config and didn't see it. I think you might be missing it.

Thank you, you're right - I had missed that. I corrected it; but apparently that isn't the only problem with my configs because packets still aren't flowing - although they sure have a better chance now!

Nick

Nick,

If your still having problems have a look at this, describes a solution that matches your requirement.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml

Andy

Thank you Andy, I had been using that example - and was just missing a couple lines of config in my interpretation of it. I did finally resolve it last Friday with TAC's assistance. Thank you for the reply.

Nick

Hello,

I have just found your conversation. We are currently trying to resolve the same problem. Could you please provide us with the solution of the problem? Thank you very much in advance.

mishak

havlicek@agcom.cz

ROBERT DERY
Level 1
Level 1

What was the resolution for this issue as I am expierencing the same issue?

Hi, sorry for not posting this sooner. I am listing the configs below which should explain my end solution. I am also attaching a rather sorry sketch of my lab layout. I am not including the configs for my "simulated Internet" - it just emulates the ISP side of things.

One of the tunnel addresses was cut off in the scan - they are both 172.16.x.x.

Regards,

Nick

PIX - terminates IPSec tunnel:

tunnelpix# sh run

: Saved

:

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

hostname tunnelpix

access-list outside_access_in permit udp host 9.0.0.2 host 242.236.137.103 eq isakmp

access-list outside_access_in permit esp host 9.0.0.2 host 242.236.137.103

pager lines 24

ip address outside 242.236.137.104 255.255.255.248

ip address inside 10.255.240.1 255.255.255.252

global (outside) 10 interface

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 242.236.137.103 10.255.240.2 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 242.236.137.105 1

route inside 10.2.0.0 255.255.240.0 10.255.240.2 1

sysopt connection permit-ipsec

sysopt noproxyarp inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

isakmp enable outside

: end

tunnelpix#

Inside Router -terminates GRE:

1605#

IOS (tm) 1600 Software (C1600-OSY56I-M), Version 12.1(22), RELEASE SOFTWARE (fc4)

ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)

ROM: 1600 Software (C1600-RBOOT-R), Version 12.0(3)T, RELEASE SOFTWARE (fc1)

System image file is "flash:c1600-osy56i-mz.121-22.bin"

1605#sh run

!

version 12.1

!

hostname 1605

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key xxx address 9.0.0.2

!

!

crypto ipsec transform-set transet_1 esp-des esp-md5-hmac

!

crypto map map_1 10 ipsec-isakmp

set peer 9.0.0.2

set transform-set transet_1

match address 105

!

!interface Tunnel0

ip address 172.16.0.2 255.255.255.252

tunnel source Ethernet1

tunnel destination 9.0.0.2

crypto map map_1

!

interface Ethernet0

ip address 10.2.0.1 255.255.240.0

!

interface Ethernet1

ip address 10.255.240.2 255.255.255.252

no ip route-cache

no ip mroute-cache

crypto map map_1

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.255.240.1

ip route 10.2.32.0 255.255.240.0 Tunnel0

!

access-list 105 permit gre host 10.255.240.2 host 9.0.0.2

!

end

Remote site router -terminates both GRE and IPSec:

remote#sh ver

IOS (tm) C1700 Software (C1700-ADVSECURITYK9-M), Version 12.3(5a), RELEASE SOFTWARE (fc1)

System image file is "flash:c1700-advsecurityk9-mz.123-5a.bin"

remote#sh run

!

version 12.3

!

hostname remote

!

ip cef

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key xxxxx address 242.x.x.103

!

!

crypto ipsec transform-set transet_1 esp-des esp-md5-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto map map_1 10 ipsec-isakmp

set peer 242.236.137.103

set transform-set transet_1

match address 105

!

!

!

!

!

interface Tunnel0

ip address 172.16.0.1 255.255.255.252

tunnel source Serial0.1

tunnel destination 10.255.240.2

!

interface FastEthernet0

ip address 10.2.32.1 255.255.240.0

speed auto

half-duplex

!

interface Serial0

no ip address

encapsulation frame-relay

!

interface Serial0.1 point-to-point

description To Remote LAN via Internet

ip address 9.0.0.2 255.255.255.252

frame-relay interface-dlci 20 CISCO

crypto map map_1

!

ip classless

ip route 0.0.0.0 0.0.0.0 9.0.0.1

ip route 10.2.0.0 255.255.240.0 Tunnel0

!

access-list 105 permit gre host 9.0.0.2 host 10.255.240.2

!

!

end

Hi Nick, thanks for the info as it will help with what I wanted to do.

Bob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: