Re: PIX and GRE IPsec tunnel

romolom71 · ‎11-22-2004

Hello, I have a remote site that necessary must be access to internet trough the PIX. The remote site has the private network inside and public IP address outside(ISP).When the private client make a connection to Internet the PIX must be a NAT of the private address. I have not found any documents about the tunnel GRE-IPSec from router to PIX 515.

I think is not possible. Have you a solution?.

Thank you.

sachinraja · ‎11-22-2004

Hello romolom,

PIX doesnt support GRE tunnels.. you can have just a site to site IPSEC tunnel to the PIX.. you can probably think of terminating the GRE tunnel to any router that sits in the outside of the PIX.. Once you have GRE tunnels between the router, you can run IPSEC over it and encrypt all data flowing through the GRE tunnel..

So, think of terminating the GRE tunnel on any router and not on the PIX..

All the best.. rate replies if found useful..

romolom71 · ‎11-23-2004

Thank you sachinraja for your support.

Your option is a great option but if I use a Tunnel mode IPSec I could change the IP header of the packet and route this in Internet. I don't know ,but I must test this solution, the correct working of PIX if this packets arrive at the outside interface. If I do a traffic from Router to PIX and I want a NAT function of PIX to go to Internet, when the Tunnel's packet come inside the PIX , this traffic is like the traffic that come from the Inside interface of PIX?. The PIX do a NAT operation in this traffic?.

All the best..

sachinraja · ‎11-23-2004

Hello romolon,

Not sure what you are referring to.. anyway, the PIX can do a NAT before pushing the traffic to the IPSEC tunnel.. in this case, the crypto ACL will be changed to the NATed IP as the source and not the private IP. you need to change the ACL on the other end router too.. The best way to go about this scenario is:

1) NAT all the browsing traffic to the internet.

2) create a seperate access-list nonat and apply it to the pix, which will be defined for IPSEC traffic.

In case you have many users behind the PIX, you can use the solution above.. In case you just have a server to communicate, you can as well NAT the server and pass it through the IPSEC.

hope this helps.. rate replies if found useful..

romolom71 · ‎11-23-2004

Sorry but my english is not good!!!.

anyway, the flow of the traffic is:

router ---> PIX

The traffic to internet flow in this manner:

Router-->(Tunnel mode IPSec)-->PIX-->NAT-->Internet

which is the behaviour of the PIX when the flow come in to the PIX?.Is it correct this affermation:"The PIX take off the Header of the Tunnel IPSec ,route the packet to outside and NAT the packets!!"

Thank you...

sachinraja · ‎11-23-2004

This can happen.. once the packet reaches the PIX, the header is removed.. in case you have any proxy server on the inside, and if you can reach that server on VPN, you can use that setting on the browser and access the internet... but nobody browses through a VPN client, just because of the overhead and latency involved with it...

Why do you want to browse through the IPSEC, as you are already connected on internet primarily to connect to the PIX for IPSEC.. i dont understand this ... anyway, you can give the IP pool from the same LAN as the inside and nat the traffic on the inside interface..

Note: the ipsec tunnel is established on the outside interface.. and you cannot directly NAT the traffic to the outside without coming to some server (proxy) on the inside... this is because, PIX does not forward the traffic from an interface which has received this !!!

hope this helps...