Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3670
Views
35
Helpful
23
Replies

GRE over IPSEC

AyoubC
Level 1
Level 1

‎09-01-2022 12:28 PM

Hello Sec Gurus, 

I'm running into a solution design misunderstanding, as the same time implementation, 

an ISP suggested the below design to have an internal subnet in the right tunneled back to his MPLS network back to the main office, to reach ISP gateway, we have have an EDGE ASA that can establish an IPSEC vpn back to the nearest ISP gateway, and have my GRE built out from the switch back to the gateway GRE interface. 

is this a valid design? how this can be configured in the ASA and the switch. 

AyoubC_1-1662060391930.png

Thank you !!! 

 

Labels:
23 Replies 23

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-02-2022 01:07 PM

Can you put ip in your topolgy.

No need full ip only first and last number.

AyoubC
Level 1
Level 1
In response to MHM Cisco World

‎09-02-2022 01:17 PM

when you ACL means the crypto map then, in my case the ACL will permit IP host 192.168.20.54 host 192.168.20.53 - right? 

MHM Cisco World
VIP
VIP
In response to AyoubC

‎09-02-2022 01:28 PM

If this is tunnel source and tunnel destination then yes.

AyoubC
Level 1
Level 1

‎09-02-2022 02:09 PM - edited ‎09-02-2022 03:07 PM

@MHM Cisco World 
These are the GRE tunnel interface IP (the .54 from the switch side and the .53 from the ISP side). agree with that?  I don't have any parameters for tunnel source and tunnel destination,   

0 Helpful

MHM Cisco World
VIP
VIP
In response to AyoubC

‎09-02-2022 04:50 PM

GRE tunnel interface use for management and run routing, the important IP is tunnel source and tunnel destination, 
the tunnel source and tunnel destination use to build new IP header, which later will hit the ACL of IPsec and make Router/ASA encrypt the traffic (pass safe through internet).

AyoubC
Level 1
Level 1

‎09-03-2022 06:14 AM

@MHM Cisco World - Here is a question then, the only information I got from the ISP is the public IP to terminate IPSEC and a private IP that represents the GRE tunnel IP (the 192.168... I mentioned above), and he said that that's all I need to implement, and he also said that the same scenario is working for other customers environment - I'm confused here as I never did this implementation before. 

Any more guidence please ? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to AyoubC

‎09-03-2022 06:40 AM

I will make second review and update you today.

AyoubC
Level 1
Level 1

‎09-12-2022 04:29 AM

For all, we end up with a conclusion that this scenario isn't feasible due to ASA that will always require a destination subnet to make a tunnel, 

This scenario make more sense if we had routers from both ends, 

@MHM Cisco World - Thanks for all details and conclusions you provided for the senario !! appreciate that. 

0 Helpful

Rob Ingram
VIP
VIP
In response to AyoubC

‎09-12-2022 04:55 AM

@AyoubC based on your diagram and my understanding of it, I still see no reason why this will not work.

0 Helpful
Customers Also Viewed These Support Documents