Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA SW ver8.0 doesn't allow to create GRE NOnat access list

I've upgrade to ASA8.0 SW and now can't create GRE tunnel from inside VPN Rtr to other branch inside Rtr.

Scheme: RTR===ASA80-----{Internet}-----ASA80===RTR

Attempt to write NONAT and CRYPTO access-lists with GRE conditions is posible: That's OK!

But applying of cmd:

#nat (inside) 0 access-list NONAT

result in "ERROR: access-list has protocol or port" msg.

I attempted to downgrade to 7.x SW

but ERROR msg are repeated.

How I can create GRE-IPSEC tunnel between two branch routers over ASA-to-ASA crypto tunnel?



Re: ASA SW ver8.0 doesn't allow to create GRE NOnat access list

Generic routing encapsulation (GRE) tunneling is a more appropriate choice. In this example, the Cisco 2621 and 3660 routers are the IPsec tunnel endpoints that join two private networks, with conduits or access control lists (ACLs) on the PIX in between in order to allow the IPsec traffic. For configuration refer to

New Member

Re: ASA SW ver8.0 doesn't allow to create GRE NOnat access list

I use GRE-NHRP-IPSEC tunnels between routers in some branches and Head office by the scheme of DMVPN (dynamic point-to-multipoint VPN accross IPSec crypto).

But I need empower a security accross Internet with ASA5510 for center and 5505 for branches.

Connection scheme of ASA devices point-to multipoint too.

And I upgraded ASA SW image to Ver 8.0.2 for EIGRP support etc.

But unfortunately this SW ver is faulty and don't allow use point-to-multipoint Site-to-Site connections.

Now I DOWNgraded ASA images from Ver 8.0.2 to Ver 7.2.2 (default) and ALL IS WORKING FINE!!!!