https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54157#M623524 <HTML><HEAD></HEAD><BODY><P>Looks like that might work.</P><P></P><P>Thanks!</P><P>Diego</P><P></P></BODY></HTML> Fri, 27 Sep 2002 13:34:43 GMT tato386 2002-09-27T13:34:43Z https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54155#M623521 <P>I need to design a VPN network around a PIX 515E hub site and IOS routers at the remote sites. In the past, I have designed VPN networks using only IOS routers. I like to use IPSec encrypted GRE tunnels so that I can run RIP over the VPN and also so that I can create default routes for Internet traffic via the GRE tunnel interfaces to route traffic thru centralized URL monitoring and filtering devices. I was told that the PIX does not support GRE. How can I do the above without GRE? What are my alternatives?</P><P></P><P>Thanks,</P><P>Diego</P><P> </P> Fri, 21 Feb 2020 06:16:26 GMT https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54155#M623521 tato386 2020-02-21T06:16:26Z https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54156#M623523 <HTML><HEAD></HEAD><BODY><P>Diego,</P><P>The pix just doesn't support termination of GRE tunnels. However, you can terminate your GRE tunnels on a router inside of your pix.</P><P>ie. router-------pix---------Internet-------------router</P><P> gre---------------------------------------------gre (from router to router)</P><P> ----------------&gt; ipsec-----------------------------ipsec (from pix to router)</P><P></P><P>The ipsec tunnel on the pix uses the gre traffic as the interesting traffic.</P><P>Here's a doc that shows you how to do it:</P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html#diagram" target="_blank">http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html#diagram</A></P><P>HTH</P><P>Jeff</P><P></P></BODY></HTML> Thu, 26 Sep 2002 23:38:24 GMT https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54156#M623523 jekrauss 2002-09-26T23:38:24Z https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54157#M623524 <HTML><HEAD></HEAD><BODY><P>Looks like that might work.</P><P></P><P>Thanks!</P><P>Diego</P><P></P></BODY></HTML> Fri, 27 Sep 2002 13:34:43 GMT https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54157#M623524 tato386 2002-09-27T13:34:43Z https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54158#M623525 <HTML><HEAD></HEAD><BODY><P>Jeff:</P><P></P><P>After looking at that article more closely I see something that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes can the PIX correctly encrypt packets that are being sent to a NATed address. At best, this would complicate the PIX config quite a bit. What about having the internal router with one interface on the DMZ and one on the private network. Wouldn't that be easier?</P><P></P><P>Thanks,</P><P>Diego</P></BODY></HTML> Tue, 08 Oct 2002 19:36:21 GMT https://community.cisco.com/t5/network-security/gre-alternatives-for-pix/m-p/54158#M623525 tato386 2002-10-08T19:36:21Z