Headend has public ip address directly connected the our router.

Remote site/sites are sitting behind a Firewall and getting and ip address on their LAN basically 192.168.1.x or 10.10.x.x.

Headend config

int g0/0

ip address [publicip]

interface Tunnel1
description GRE
ip address 10.10.53.1 255.255.255.252
ip mtu 1400
ip pim sparse-mode
keepalive 3 2
tunnel source GigabitEthernet0/0
tunnel destination xx.xx.xx.xx public ip
tunnel path-mtu-discovery

Remote site

int g0/1

ip address 192.168.1.44

interface Tunnel1
description GRE
ip address 10.10.53.2 255.255.255.252
ip mtu 1400
ip pim sparse-mode
keepalive 3 2
tunnel source GigabitEthernet0/1
tunnel destination xx.xx.xx.xx
tunnel path-mtu-discovery

ip route 0.0.0.0 0.0.0.0 192.168.1.1

How do I get this to work when it is behind a network and firewall

debug on headend router

Jun 21 20:21:20.960: Tunnel1: GRE/IP classify [remoteip]->[headendip] tbl=0,"Default" failed, tunnel down
Jun 21 20:21:20.960: Tunnel1: GRE/IP (PS) to decaps [remoteip]->[headendip] (tbl=0,"default" len=48 ttl=235)
Jun 21 20:21:20.960: Tunnel1: Pak Decapsulated on GigabitEthernet0/1, ptype 0x800, nw start 0x306F04B0, mac start 0x306F048A, datagram size 24 link type 0x7

anybody have a suggestion on above post

thank you

Did you do what Julio suggested?

I just dropped your configuration in GNS3 without a firewall and tunnel worked fine. If you have ip reachability to the remote network from the edge device and routing is in place then most likely firewall is blocking GRE.

yes I have had this working several times however without a firewall.

The problem is Remote site receives a private ip address. So on the firewall I had the security team do a nat from private ip to the Public ip address.

I see traffic going back and forth but I get up/down 

The problem is Remote site receives a private ip address:

I didn't get this part. Which private address they are receiving? as I understand based on your explanation that both tunnel end points are behind the firewall and have public IPs configured.

Can you ping remote end gre tunnel enpoint from the router at your site or do a traceroute?

HeadendR1>>>>Firewall>>>switch>>>RemoteR1

The firewall has a nat to my RemoteR1 and I can even ssh into from anywhere using the public ip address So I know Nat that is correct however nothing on the tunnel

Debug below

Jun 21 21:32:09.088: Tunnel1: GRE/IP classify [remoteip]->[headendip] tbl=0,"Default" failed, tunnel down
Jun 21 21:32:09.092: Tunnel1: GRE/IP (PS) to decaps [remoteip]->[headendip] (tbl=0,"default" len=48 ttl=235)
Jun 21 21:32:09.092: Tunnel1: Pak Decapsulated on GigabitEthernet0/1, ptype 0x800, nw start 0x30710F30, mac start 0x30710F0A, datagram size 24 link type 0x7

Jun 21 21:32:09.092: Tunnel1: GRE decapsulated IP packet (linktype=7, len=24)
Jun 21 21:32:09.092: Tunnel1: GRE decapsulated IP packet (linktype=7, len=24)

Please answer following questions:

Is there only 1 firewall between these 2 routers?

Are you using public address on both sides as tunnel destinations?

- If you are using asa version 8.3 and above then make sure that ACL has the real address of tunnel endpoints and not NATed address.

Did you check firewall logs related to GRE traffic?

yes I am using public ip address as tunnel destinations 

9.6

I did a capture on the Firewall and saw

>ip source ip destination gre 47

<ip destination ip source  gre 47

an update on what the resolution was.

Removed the keepalives and bam up/up

Thanks for the update. Glad to hear that your issue has been resolved.