09-10-2016 01:09 PM - edited 03-08-2019 07:22 AM
Community. I'm scratching my head. I've put all details in a PDF attached. Basically I've got IPSEC B2B tunnel (working) I'm slipping a GRE tunnel through it and it's working (partially) I can ping on one side and not the other. At first I thought hey.. there's something routing related wrong with this but I can't find anything wrong routing related as the tunnel is showing up in the routing table of both routers as "connected". Not sure what's going on. Please find my attached PDF file.
Solved! Go to Solution.
09-10-2016 04:00 PM
Hi;
Just want to re-confirm as per diagram Lo0 on RemoteB & LOCALA having same ip address which is 192.168.2.217. while as per configuration it should be 192.168.2.218 at RemoteB.
While other tunnel configuration is simple and don't feel any issue.
I have a doubt on either ASA or Palo Alto firewall policy is blocking the traffic.
Thanks & Best regards;
09-10-2016 04:00 PM
Hi;
Just want to re-confirm as per diagram Lo0 on RemoteB & LOCALA having same ip address which is 192.168.2.217. while as per configuration it should be 192.168.2.218 at RemoteB.
While other tunnel configuration is simple and don't feel any issue.
I have a doubt on either ASA or Palo Alto firewall policy is blocking the traffic.
Thanks & Best regards;
09-10-2016 05:06 PM
Yes ahmedshoaib thanks for pointing that out. You are correct I incorrectly labeled REMOTE B Lo0.
It shoud be as you say, 192.168.2.218. I fear the same. I have confirmed the Palo Alto is allowing traffic to and from. I have full visibility to verify the Palo. As for the ASA I don't have visibility and will have to work with the engineer on Monday to confirm our suspicion.
Thank you.
I'll report back on this issue as soon as I get more information as to the policy on the remote firewall.
Kind Regards,
CB
09-12-2016 02:58 PM
Greetings. I found out today though TAC that ASA's don't support GRE through the IPSEC tunnel.
In order to solve the need, I set up the ASA to do a 1:1 nat from a public IP to a loopback on the remote router. I set up a similar config on a router on the other side. Then created an ipsec protected tunnel between the two routers. Same effect. I just had to burn more public IP addresses to get it done. Thanks
You can call this one solved.
09-13-2016 12:25 AM
Hi;
Thanks this is good information to share with other member.
Best regards;
09-11-2016 08:03 AM
After researching this a and doing some extensive reading I believe that possibly the IPSEC transform set is in "Default tunnel" mode on the ASA side and not in "transport" mode which I see seems to be necessary to transport GRE over ipsec with an ASA firewall. I'll confirm on monday.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide