12-17-2003 07:35 AM - edited 02-20-2020 11:09 PM
Hi Sir,
Need to confirm whether Cisco PIX Firewall is GRE Pass through ?
If yes, what model of PIX Firewall and PIX image version I need to use ?
As I understand from RFC 1071 & 1072, the IP Protocol type is 47.
Need your help as soon as possible.
Thanks,
Raymond Hew
12-17-2003 09:28 AM
Hi,
Yes, the Cisco PIX firewall can serve as a GRE pass through device. The PIX cannot terminate or initiate any GRE traffic but with the proper tranlations and access allowed, GRE traffic will pass through the PIX. All models and software support allowing GRE (protocol 47) through the PIX. Hope this helps.
Scott
12-17-2003 04:52 PM
Hi Scott,
How about the L2TP tunnel over PIX firewall ? I assume it should also pass through without any problem.
What ip protocol type is L2TP used ?
In my customer scenario, there are going to put two PIX firewalls in between the routers soon, at the moment I have enabled them with GRE without firewall in between.
Thanks in advance,
Raymond Hew.
12-17-2003 09:36 AM
If you are looking at passing IPSEC or PPTP through, you just need to let the PIX know what to do with these protocols through the fixup protocol command. Example:
Ipsec:
fixup protocol esp-ike
or PPTP:
fixup protocol 1723
Hope this helps.
12-17-2003 04:57 PM
Hi JHaggett,
How about if we are going to use GRE tunnel (as per RFC 1701 & RFC 1702) and L2TP tunnel (as per RFC 2662) ?
What is the fixup protocol command ?
Thanks in advance,
Raymond Hew.
12-18-2003 09:18 AM
I think it's dependent on PPTP... I would just add the fixup protocol pptp 1723 and see what happens :)
01-14-2004 01:03 PM
I think I see what you mean, I went through the same problem, try this...
access-list OUTGOING permit gre any any
Dominic
01-14-2004 07:55 PM
The Pix provides no stateful inspection for GRE. If you want a gre tunnel to pass through the Pix, you must open up protocol number 47 on the outside ACL.
If the traffic is an outbound PPTP tunnel, you can use the fixup for pptp which dynamically allows in the resulting GRE traffic without any ACL entries. This does not work for inbound PPTP tunnels to my knowledge.
L2TP as used by Window2k+ is really L2TP over IPSec. So in addition to TCP/1701, you'll also need to open UDP/500 and protocol 50. Win2k+ also supports NAT-T for L2TP/IPSec using UDP/4500 for all other traffic. In this case, you won't need protocol 50.
The pix does use GRE, although not directly. The Pix can terminate PPTP v1 tunnels which uses GRE as expected. The pix has no other support for terminating GRE tunnels at this time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide