https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367973#M674216 <HTML><HEAD></HEAD><BODY><P>There is no inspection for GRE on ASA. The GRE packet will just be passed through the ASA.</P><P>Hope that helps.</P></BODY></HTML> Sun, 04 Apr 2010 00:12:57 GMT Jennifer Halim 2010-04-04T00:12:57Z https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367972#M674215 <P>How is packet inspection affected (if at all) on an ASA, when the packet is encapsulated with GRE?</P><P></P><P>Thank you</P> Mon, 11 Mar 2019 17:28:50 GMT https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367972#M674215 drehobljs 2019-03-11T17:28:50Z https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367973#M674216 <HTML><HEAD></HEAD><BODY><P>There is no inspection for GRE on ASA. The GRE packet will just be passed through the ASA.</P><P>Hope that helps.</P></BODY></HTML> Sun, 04 Apr 2010 00:12:57 GMT https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367973#M674216 Jennifer Halim 2010-04-04T00:12:57Z https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367974#M674217 <HTML><HEAD></HEAD><BODY><P>Are you talking about pptp inspection?</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656">http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/i2.html#wp1721656</A></P><P></P><P><SPAN class="content">When enabled, PPTP application inspection inspects PPTP protocol packets and dynamically creates the GRE connections and xlates necessary to permit PPTP traffic.</SPAN></P><P></P><P>If you are talking about just GRE, it is IP protocol 47 and will be allowed if permitted via ACL just like any other traffic. There is no inspection specifically for it.</P><P></P><P>-KS</P></BODY></HTML> Sun, 04 Apr 2010 03:20:22 GMT https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367974#M674217 Kureli Sankar 2010-04-04T03:20:22Z https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367975#M674218 <HTML><HEAD></HEAD><BODY><P>I am talking about just GRE.&nbsp; For example... If I tell the ASA that I don't want specified PTP protocols passing through, but there is ptp tunneled through http, the firewall will see that (hence application layer inspection), and will drop the packet.</P><P></P><P></P><P>So.. if I permit GRE, but block, say TFTP, will the firewall drop a packet that has a GRE encapsulated TFTP request?</P></BODY></HTML> Sun, 04 Apr 2010 16:44:15 GMT https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367975#M674218 drehobljs 2010-04-04T16:44:15Z https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367976#M674219 <HTML><HEAD></HEAD><BODY><P>Jeff</P><P></P><P>No it won't because the firewall has no idea of what is encapsulated with the GRE tunnel. This is one of the main reasons it is recommended not to allow GRE tunnels through your firewall.</P><P></P><P>Jon</P><P><EM><BR /></EM></P><P><EM>Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.</EM></P></BODY></HTML> Sun, 04 Apr 2010 21:48:36 GMT https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367976#M674219 Jon Marshall 2010-04-04T21:48:36Z https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367977#M674220 <HTML><HEAD></HEAD><BODY><P>Firewall will not block TFTP if you deny TFTP when it is encpsulated within the GRE packet.&nbsp; Anything within the GRE packet, the firewall will not know.</P><P>Jon has already cofirmed that for you.</P><P></P><P>-KS</P></BODY></HTML> Sun, 04 Apr 2010 23:01:36 GMT https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367977#M674220 Kureli Sankar 2010-04-04T23:01:36Z https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367978#M674221 <HTML><HEAD></HEAD><BODY><P>Thanks for the response.&nbsp; Any chance this will change in the future?&nbsp; Seams pretty weak to me.</P></BODY></HTML> Mon, 05 Apr 2010 05:54:32 GMT https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367978#M674221 drehobljs 2010-04-05T05:54:32Z https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367979#M674222 <HTML><HEAD></HEAD><BODY><P>Don't think it will change in the near future. You might want to contact your Cisco account manager for the feature request.</P></BODY></HTML> Mon, 05 Apr 2010 05:57:14 GMT https://community.cisco.com/t5/network-security/gre-inspection/m-p/1367979#M674222 Jennifer Halim 2010-04-05T05:57:14Z