Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1403
Views
0
Helpful
7
Replies

GRE Tunneling via PIX Firewall

r.hew
Level 1
Level 1

‎12-17-2003 07:35 AM - edited ‎02-20-2020 11:09 PM

Hi Sir,

Need to confirm whether Cisco PIX Firewall is GRE Pass through ?

If yes, what model of PIX Firewall and PIX image version I need to use ?

As I understand from RFC 1071 & 1072, the IP Protocol type is 47.

Need your help as soon as possible.

Thanks,

Raymond Hew

0 Helpful
7 Replies 7

scoclayton
Level 7
Level 7

‎12-17-2003 09:28 AM

Hi,

Yes, the Cisco PIX firewall can serve as a GRE pass through device. The PIX cannot terminate or initiate any GRE traffic but with the proper tranlations and access allowed, GRE traffic will pass through the PIX. All models and software support allowing GRE (protocol 47) through the PIX. Hope this helps.

Scott

0 Helpful

r.hew
Level 1
Level 1
In response to scoclayton

‎12-17-2003 04:52 PM

Hi Scott,

How about the L2TP tunnel over PIX firewall ? I assume it should also pass through without any problem.

What ip protocol type is L2TP used ?

In my customer scenario, there are going to put two PIX firewalls in between the routers soon, at the moment I have enabled them with GRE without firewall in between.

Thanks in advance,

Raymond Hew.

0 Helpful

jhaggett
Level 1
Level 1

‎12-17-2003 09:36 AM

If you are looking at passing IPSEC or PPTP through, you just need to let the PIX know what to do with these protocols through the fixup protocol command. Example:

Ipsec:

fixup protocol esp-ike

or PPTP:

fixup protocol 1723

Hope this helps.

0 Helpful

r.hew
Level 1
Level 1
In response to jhaggett

‎12-17-2003 04:57 PM

Hi JHaggett,

How about if we are going to use GRE tunnel (as per RFC 1701 & RFC 1702) and L2TP tunnel (as per RFC 2662) ?

What is the fixup protocol command ?

Thanks in advance,

Raymond Hew.

0 Helpful

jhaggett
Level 1
Level 1
In response to r.hew

‎12-18-2003 09:18 AM

I think it's dependent on PPTP... I would just add the fixup protocol pptp 1723 and see what happens :)

0 Helpful

dombilod
Level 1
Level 1
In response to jhaggett

‎01-14-2004 01:03 PM

I think I see what you mean, I went through the same problem, try this...

access-list OUTGOING permit gre any any

Dominic

0 Helpful

shannong
Level 4
Level 4

‎01-14-2004 07:55 PM

The Pix provides no stateful inspection for GRE. If you want a gre tunnel to pass through the Pix, you must open up protocol number 47 on the outside ACL.

If the traffic is an outbound PPTP tunnel, you can use the fixup for pptp which dynamically allows in the resulting GRE traffic without any ACL entries. This does not work for inbound PPTP tunnels to my knowledge.

L2TP as used by Window2k+ is really L2TP over IPSec. So in addition to TCP/1701, you'll also need to open UDP/500 and protocol 50. Win2k+ also supports NAT-T for L2TP/IPSec using UDP/4500 for all other traffic. In this case, you won't need protocol 50.

The pix does use GRE, although not directly. The Pix can terminate PPTP v1 tunnels which uses GRE as expected. The pix has no other support for terminating GRE tunnels at this time.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card