Tips to pass tunnel GRE over Firepower FTD

claudiom17 · ‎08-22-2023

Hello team, I am trying to pass one GRE tunnel over two Cisco Firepower 1120 Theat Defense version 7.3.1-19 working as active/stand by. The devices are stand alone and those are not working or manged by FMC. How can I assure the traffic can be allowed in the tunnel GRE communication between one SD-WAN veloclud device in the inside and one Zscaler in the outside?

I have created an ACL allowing the GRE protocol from inside to outside and viceversa?

Do you know any other way? Pre-filtering is not allowing in this version, only in FMC.

marce1000 · ‎08-22-2023

- FYI : https://www.networkingwithehsan.com/gre-tunnel-in-ftd

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Milos_Jovanovic · ‎08-22-2023

Hi @claudiom17,

This is the limitation of FDM over FMC. Most often, GRE should be addressed via prefilter policy, which is not supported on FDM. It is in FDM admin guide.

You can try to allow it within standard Access Control policy, but if it is not per RFC, it must be bypassed via prefilter.

Kind regards,

Milos

dave wolfendale · ‎07-06-2024

Use "Trust" as the access rule action.

This is the equivalent of FastPath.

I put all sorts in the access but this is the only way.

Of course, the flaw is that it does not get inspected - welcome to the wonder of FirePower.