04-07-2008 02:08 PM - edited 02-21-2020 03:39 PM
Hi all,
I would need to build a GRE tunnel from a local IOS (pix inside lan) and a remote IOS (internet ezvpn client), through a PIX Remote Access VPN.
Is it possible?
The remote IOS gets a different wan ip address each time it connects to internet and the PIX assign it the address from an internal configured POOL.
Thanks in advance. Efrem
04-11-2008 01:20 PM
You can refer this bug for more information on GRE tunnel:CSCse36327
04-13-2008 06:46 AM
Thank-you. That bug is exactly what happens to me; your hint increased my understanding of the problem, unfortunately, the bug solution do not solve it. Maybe it is drawed for lan-to-lan vpn. I run pix version 8.0.3 and I can write the command: "pix(config)#sysopt connection reclassify-vpn", but without effect.
What happen is: starting with all up and running (remote access vpn, gre tunnel and ospf), if the vpn drops, the local_gre machine continue to send gre pachets to the tunnel destination. Without vpn up, theese packets are erroneously translated out the outside interface by the pix and this continue also when the vpn return up. To work-around the problem, I stop theese pakets to time-out this wrong connection. Now, thanks to you, I learned also the command "pix#clear local-host" to drop the connection.
In my actual case I chosen another workaround: I added a static route to the pix to return back gre packets to inside. When the vpn is up, the pix assign the address to the remote ezvpn_client and ignore the static route.
I hope Cisco will extend the command "...reclassify-vpn" also to the remote access.
Bye. Efrem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide