topic Re: GRE on ASA 5510 in Network Security

GRE on ASA 5510

tanziweigca — Wed, 13 Mar 2019 00:54:32 GMT

Hi Hi to all,

I am trying to create GRE tunnels over IPSec using ASA 5510. Before our company purchased the appliance, we were told that 5510 does supports GRE and configurations can be done to it to create the tunnel. I had been searching around the net for information on how to create the tunnels but so far, not much information had been gathered. Does anyone know about whether 5510 does indeed support GRE/IPSEC tunnels and any resources are available on how to configure them?

Thanks a lot in advance and Happy Holidays!!

Tan

Re: GRE on ASA 5510

JORGE RODRIGUEZ — Tue, 25 Dec 2007 17:28:13 GMT

Tan, PIX/ASA does support GRE but as a pass through, today I am not aware you can terminate GRE tunnel on PIX/ASA . The solution would probably be to terminate the tunnel on another cisco device other than the ASA but let GRE pass through, you could also consider L2L vpn.

Rgds

Jorge

Re: GRE on ASA 5510

tanziweigca — Thu, 27 Dec 2007 12:55:34 GMT

Hello Jorge,

Thanks for the information.

So I presumed that ASA 5510 cannot support GRE exactly as a termination endpoint. Rather, it can only allow pass through, NOT creating/generating tunnels from the device directly?

Thanks,

Tan

Re: GRE on ASA 5510

JORGE RODRIGUEZ — Thu, 27 Dec 2007 13:32:38 GMT

Tan that is correct, you cannot terminate a GRE tunnel neither in PIX nor in ASA.

Rgds

Jorge

Re: GRE on ASA 5510

fropert — Tue, 01 Jan 2008 12:43:30 GMT

Hello,

Jorge is right. ASA can't terminated a GRE tunnel.

Here's an example of configuration to make your ASA GRE tunnel passthrough in the case of you have an ISR router (or other...) which sits behind an ASA:

access-list outside_access_in line 13 extended permit gre 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Replace 0.0.0.0 with things more specific of your network if you are concerned with this issue.

Happy new year

Re: GRE on ASA 5510

tanziweigca — Wed, 02 Jan 2008 02:08:38 GMT

Hello Fropert,

Thanks for the reply. I am still not sure on how to configure it and perhaps you can provide some insight to it.

3800 Router <---> ASA 5510 <---> DMZ server

The setup of the infrastructure is as above and IPSEC/GRE tunnel need to be established in order for the DMZ server to communicate with other machines on the Internet. I do not know how to configure the tunnel at all and I had all along presume that the ASA will be the termination point for the tunnel. Can you provide some insight on how to get the tunnel up and running with such a design?

Many thanks for your help and Happy New Year to you.

Tan

Re: GRE on ASA 5510

royalblues — Wed, 02 Jan 2008 15:40:46 GMT

You can configure site to site IPSEC VPN between the security devices and ensure that the server traffic is part of the interesting traffic that initiates the tunnel

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml

HTH

Narayan

Re: GRE on ASA 5510

tanziweigca — Thu, 03 Jan 2008 12:08:34 GMT

Hi,

Thanks for all the reply so far. So far, trying to use ASA to initiate the tunnel DOES NOT work at all. Therefore, I think I will have to change the setup. Currently had changed to the followings.

ISP <--> Cisco 3800 router <--> ASA 5510 <--> Switch <--> Server

I think the portion on the switch and server should not be an issue at all. However, if I initiated the GRE tunnel from the 3800 router, will it flow through ASA 5510 to the server itself? I am still very blurred on this and some other areas and any help on the matter is greatly appreciated.

Thanks,

Tan

Re: GRE on ASA 5510

Rick Morris — Fri, 04 Jan 2008 16:24:26 GMT

you might want to look into L2TP

This might do what you need. It can be built outside of the PIX and ASA. It can be a little tricky to understand but once you get it you will like it. We use it for high availabilty in our Email. We have 2 front end servers, one in our corporate office and one in our data center, no matter which server is being used we always have connectivity and it is done through the psuedowire in the L2TP config set-up, little more complex than the generic routing, GRE, but still might provide what you are looking for.