09-26-2002 10:57 AM - edited 02-20-2020 10:16 PM
I need to design a VPN network around a PIX 515E hub site and IOS routers at the remote sites. In the past, I have designed VPN networks using only IOS routers. I like to use IPSec encrypted GRE tunnels so that I can run RIP over the VPN and also so that I can create default routes for Internet traffic via the GRE tunnel interfaces to route traffic thru centralized URL monitoring and filtering devices. I was told that the PIX does not support GRE. How can I do the above without GRE? What are my alternatives?
Thanks,
Diego
09-26-2002 04:38 PM
Diego,
The pix just doesn't support termination of GRE tunnels. However, you can terminate your GRE tunnels on a router inside of your pix.
ie. router-------pix---------Internet-------------router
gre---------------------------------------------gre (from router to router)
----------------> ipsec-----------------------------ipsec (from pix to router)
The ipsec tunnel on the pix uses the gre traffic as the interesting traffic.
Here's a doc that shows you how to do it:
http://www.cisco.com/warp/public/707/gre_ipsec_ospf.html#diagram
HTH
Jeff
09-27-2002 06:34 AM
Looks like that might work.
Thanks!
Diego
10-08-2002 12:36 PM
Jeff:
After looking at that article more closely I see something that might be a problem. The GRE tunnel is being created over the Internet. However, each router references the other router's internal interface with its private IP. Obviously this would not work. The GRE endpoints would have to reference public IPs. This in turn means that the PIXes would have to do some NAT. So the question becomes can the PIX correctly encrypt packets that are being sent to a NATed address. At best, this would complicate the PIX config quite a bit. What about having the internal router with one interface on the DMZ and one on the private network. Wouldn't that be easier?
Thanks,
Diego
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide