Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Firewalls Community

Frequent Contributor

GRE tunnel to routers behind ASA NAT

I am having trouble setting up a basic GRE (no encryption) between two routers that are in turn behind ASA devices.  Setup looks like this:

Rtr1 <-> ASA1 <-> Inet <-> ASA2 <-> Rtr2

I have done the following:

1) each router has a static NAT on the ASA which NATs router's private LAN IP to a public IP.
2) I have a permit any IP rule on both ASAs to permit all traffic to the routers
3) I use the routers private IP as tunnel source and the opposite routers public IP as tunnel destination

I can ping and telnet from each router's private IP to the other router's public IP.

After doing this I cannot ping the remote tunnel IP even when sourcing from the local tunnel IP.

I suspect that some configuration setting on ASA1 is causing the problem. So I do the following test:

I setup Rtr3 at a 3rd site behind a PIX (not ASA) and setup static NAT and allow all rules like the ASAs. Then I configure GRE tunnels to Rtr1 and Rtr2 and test with pings and telnet to make sure basic are correct.  I find that the tunnel from Rtr3 to Rtr2 works perfectly but the tunnel from Rtr3 to Rtr1 does not work and has the same symptons as the original Rtr1<->Rtr2 tunnel.

So I am pretty sure there is something wrong with ASA1 config but I can't see it when I compare it to ASA2.  I figure I need to do some debugs but I am not sure what to debug since traffic from public to pubic IP seems to be working.

Any ideas?



GRE tunnel to routers behind ASA NAT

Hi Bro

You'll need to configure ACLs in ASA1 and ASA2 to permit GRE protocol to pass through. Just because you've permitted IP ANY ANY, that doesn't mean GRE is included under IP.

// Sample Config

FW(config)# access-list outside permit gre host host

Let me know how it goes.

Warm regards,
Ramraj Sivagnanam Sivajanam
Frequent Contributor

GRE tunnel to routers behind ASA NAT

I'm afraid I must disagree.  Rtr2 has IP allowed and it works with Rtr3.  GRE is actually IP protcol 47.  The packet trace utility confirms that IP protocol 47 should be successfull.  In any case I added allow GRE ahead of allow IP and still no joy.

I also found another reason to distrust ASA1.  As an experiment, I changed the outside/public address to another free IP in the block and ALL communication to Rtr1 including ping and telnet stopped working!  This is a confirmed free IP from the public block and it doesn't work for any type of communication at all.  I see no other device or NAT using this 2nd public IP.  As soon as I returned to the orginal public IP I got pings and telnet to work but still no GRE to Rtr2.  Very weird.

Still looking for help with some useful debug commands.  I find the ASA debug stuff to be quite dificult for me to get working..



Frequent Contributor

GRE tunnel to routers behind ASA NAT

ARRRGGHHHH!  A reboot of ASA1 fixed the problem.  Sorry for any inconvenience I may have caused.


CreatePlease to create content
Content for Community-Ad
FusionCharts will render here