Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
1
Replies

PIX-to-PIX GRE one way only

networkcar.com
Level 1
Level 1

‎08-20-2007 02:15 PM

I have configured a GRE tunnel between two routers that are each behind PIX firewalls. I have setup a VPN to encrypt all IP traffic between the routers.

The GRE traffic is only flowing from router A to router B.

I can ping from router A to router B and vice versa. I've verified that those pings are going out via the vpn by doing a 'show ipsec sa' and watching the counters. I have also verified that the GRE tunnel keepalives are being sent by both routers but only router A's packets are making it across. Router B receives A's keep-alives but A does not receive B's.

I did a capture on pix B to verify that the GRE packets from router B are making it to the PIX correctly.

I do not have any specific rules anywhere, on either PIX, or either router for gre. The access-list rule looks like this:

access-list tunnel extended permit ip xx.xx.198.40 255.255.255.252 xx.xx.198.44 255.255.255.252

When I do a 'packet-tracer' on pix B I see that everything but GRE goes out the VPN but all I get for GRE is:

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 2696171, using existing flow

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: allow

I have no idea how to view details on flow id 2696171.

Any ideas?

Labels:
0 Helpful
1 Reply 1

irisrios
Level 6
Level 6

‎08-24-2007 01:25 PM

What pix version are you using?

0 Helpful
Customers Also Viewed These Support Documents