cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17115
Views
5
Helpful
10
Replies
Highlighted
Beginner

Do Cisco ASA 5555-x supports GRE tunnel ?

Hi Team,

Looking for below queries for :

Version: Cisco ASA-5555-x

Cisco ASA 9.1(2)  - Attached snapshot

Do Cisco ASA 5555-x supports GRE tunnel ?

Also with this device, is it possible to create GRE interfaces ?

Support for GRE over IPsec with ASA 5555-x ?

Any reference to sample configuration specific to this model.

Thanks,

Gaurav

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

GRE tunnels are not

GRE tunnels are not configurable on the ASA in any version. You would have to use a router in order to use GRE tunnels. You can do GRE over IPsec tunnels with a router as the GRE endpoint and ASA as the IPsec endpoint or a router as both GRE and IPsec endpoint.

View solution in original post

10 REPLIES 10
Highlighted
VIP Advocate

GRE tunnels are not

GRE tunnels are not configurable on the ASA in any version. You would have to use a router in order to use GRE tunnels. You can do GRE over IPsec tunnels with a router as the GRE endpoint and ASA as the IPsec endpoint or a router as both GRE and IPsec endpoint.

View solution in original post

Highlighted
Enthusiast

By the way, I saw in release

By the way, I saw in release notes of 9.7 version:

Virtual Tunnel Interface (VTI) support for ASA VPN module

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html

Hopefully, sometimes we will see VTI tunnels on ASA gears too. 

P.S. VTI is a tunnel interface witch can be used in many cases instead of GRE over IPsec. VTI gives no need of configuring crypto maps. Also, VTI tunnel does not give additional overhead from GRE header for VPN traffic.

Highlighted
Enthusiast

Sorry, Karsten has already

Sorry, Karsten has already mentioned that.

Highlighted
VIP Mentor

As already mentioned, there

As already mentioned, there is no GRE-tunnel. But the newest ASA software has IPsec-tunnel-interfaces. If you plan is just to have a route-based IPsec VPN in the future, this could be the way to go. But I would wait some releases until changing to 9.7 in production.

Highlighted
Beginner

Hi Rahul,

Hi Rahul,

If VPN tunnel is terminated on ASA and GRE tunnel is terminated on a router behind ASA, then the firewall rules which could be applied to the data traffic coming out of VPN on ASA are no more relevant. Is there a way to overcome/workaround this drawback without throwing additional gear to solve the problem? I am not familiar with any firewall capabilities of Cisco routers but I believe these won't be able to cover the capabilities of ASA. Thoughts?

Thanks,
Sandesh

Highlighted
Enthusiast

Hello, just want to share my

Hello, just want to share my thoughts...

First of all, Cisco routers are capable of firewall services. For example, there is a feature, called Zone-based Firewall for Cisco routers. This feature can give you similar capabilities as ASA in many cases, but a bit complicated in configuration.

The second thought. I had a configuration, where ASA was behind the router. That means, ISP was connected to the router, inside LAN was separated from router by ASA:

LAN <===> ASA <===> Router <===> ISP

But ispite of this fact, there was no problem to terminate IPsec on ASA and GRE on Router. The IPsec traffic (ike and esp) passed from ISP through Router with no inspection and terminated on ASA. After being decrypted, GRE traffic went back to Router. Then Router decapsulated payload from GRE headers. Then Router directed payload traffic back to ASA. 

So there was a possibility to control decapsulated traffic with ASA's firewall capabilities. 

This scenario may be usefull, if ASA is equiped with IPS or FirePOWER services. After being decapsulated from all VPN headers (IPsec and GRE), the traffic can be controlled and inspected as you like. 

Highlighted
Beginner

Hi Boris,

Hi Boris,

Thanks for super quick response!

I'm sure there would be FW capabilities in ASA which would be missing in other IOS routers, so we won't be able to offload everything from ASA.

Your other solution sounds plausible to me, however I am concerned of the performance penalty it will incur due to extra loop involved for all traffic. My deployment requires use of 2 ASAs for VPN tunnel redundancy where each ASA forms a VPN tunnel with a remote VPN device via different ISP and carries GRE tunnel inside each VPN tunnel. The router where GRE tunnels terminate runs BGP for selection of path to reach the side via one of the GWs.

                                                   ASA1 (VPN1) <=> ISP1

LAN <=> Router (BGP+GRE) <                                        > VPN

                                                  ASA2 (VPN2) <=> ISP2

So wondering if looping traffic back & forth between ASA & router will have any implication from dynamic routing perspective.

Thanks,

Sandesh

Highlighted
Enthusiast

Hi, 

Hi, 

You are absolutely right, that looping traffic between Router and ASAs increases utilization of gears.

Usually, ASAs are more powerfull in routing and firewall capabilities, comparing to routers (sure, it depends on concrete models). 

If you think, that the router may be under heavy load, you can avoid looping traffic for router, if you add the direct connection from ASA to inside LAN (to Core Switch). Please, see the attach.

In this case, IPsec traffic will come to ASA, decrypted GRE traffic comes to router, router sends decapsulated payload back to ASA. And ASA sends filtered payload directly to LAN, avoiding passing it back to router.

So, the traffic from remote VPNs will pass through router only at once. Sure, that traffic passes ASA twice, but, as I already mentioned, throughput of ASA is usually high, so it won't be a problem.

From security perspective, it is also ok to connect ASA directly to LAN, because ASA filters all traffic.

Highlighted
Explorer

Re: Hi,

More powerful in Firewalling only, the routers Rule when it comes to routing capabilities.

Highlighted
Explorer

Re: Do Cisco ASA 5555-x supports GRE tunnel ?

This is why people are dropping their ASA's, It is just stupid. If I place the GRE traffic inside of the IPsec tunnel, is it not secure? Cisco invented GRE, why the hell can they not secure it? The ASA is not relevant anymore and everyone is stuck with it.