Networks Training

You are here: Home / Cisco Routers / Configuring GRE Tunnel Through a Cisco ASA Firewall

Configuring GRE Tunnel Through a Cisco ASA Firewall

Written By

In this configuration tutorial I will show you how to configure a GRE tunnel between two Cisco IOS routers. One of the routers is located behind a Cisco ASA 5500 Firewall, so I will show you also how to pass GRE traffic through a Cisco ASA as well.

GRE and Cisco ASA

As you might know already, GRE tunnel termination is not supported on Cisco ASA firewalls. However, this is fully supported on Cisco routers.

GRE tunnels are not secure (no traffic encryption takes place through GRE (except if you run GRE over IPSEC).

However, GRE tunnels are useful in cases where we need to pass “non-unicast” traffic between two remote sites (e.g through the Internet).

Two scenarios that come to my mind now include passing routing protocols (such as OSPF) between two remote sites, and also passing multicast traffic through the GRE tunnel from one site to another.

We will be using the following network diagram:

gre through asa

As shown from the diagram above, we have two remote sites (LAN1 and LAN2) which we need to connect through the Internet via a GRE tunnel.

The GRE tunnel will be terminated between routers R1 and R2. When configuring GRE, a virtual Layer3 “Tunnel Interface” must be created.

The GRE tunnel will be running between the two Tunnel Interfaces (10.0.0.1 and 10.0.0.2 as shown from diagram).

Also, the Tunnel Interfaces will be using as actual source IPs the addresses of the outside router interfaces (20.20.20.1 for R1 and 50.50.50.1 for R2). Therefore, IP routing reachability must be in place between 20.20.20.1 and 50.50.50.1.

As shown, router R1 is behind a Cisco ASA firewall. This is exactly what makes this scenario a little bit different from others.

Since R2 must be able to reach R1, the only way to “expose” R1 to the outside world is by creating a static NAT on the ASA firewall.

MORE READING:  WAN Redundancy with two ISPs using static floating default routes

The static NAT rule will translate 20.20.20.1 (R1 outside IP) to an outside public IP, let’s say 30.30.30.3.

Therefore, R2 will be able to reach R1 via 30.30.30.3 public IP. Also, we must configure an access list on the ASA (applied on the outside ASA interface) which must allow GRE traffic from 50.50.50.1 to 20.20.20.1

Configuration

Lets see the configuration, starting with the routers first:

ROUTER R1

!First configure IP addresses on R1

interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!

interface FastEthernet1/0
 ip address 20.20.20.1 255.255.255.0
 duplex auto
 speed auto

!Default route towards ASA

ip route 0.0.0.0 0.0.0.0 20.20.20.2

!Now configure GRE Tunnel Interface. Note that we reduce the MTU size in order to accommodate the extra headers added from the GRE protocol.

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 20.20.20.1
 tunnel destination 50.50.50.1
!

!Now tell the router that remote subnet of LAN2 can be reached via the GRE endpoint 10.0.0.2

ip route 192.168.2.0 255.255.255.0 10.0.0.2

Now let’s move on to configuring R2.

ROUTER R2

!First configure IP addresses on R2

interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
!

interface FastEthernet1/0
 ip address 50.50.50.1 255.255.255.0
 duplex auto
 speed auto

!Default route towards ISP

ip route 0.0.0.0 0.0.0.0 50.50.50.2

!Now configure GRE Tunnel Interface. Note that the tunnel destination is the mapped (static NAT) IP address of router R1 (30.30.30.3)

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 50.50.50.1
 tunnel destination 30.30.30.3
!

!Now tell the router that remote subnet of LAN1 can be reached via the GRE endpoint 10.0.0.1

ip route 192.168.1.0 255.255.255.0 10.0.0.1

MORE READING:  Explanation and Configuration of OSPF MD5 Authentication on Cisco Networks

That’s it for the routers. Let us see now how to configure the ASA.

ASA Configuration

!First configure IP addresses on ASA

interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 30.30.30.2 255.255.255.0
!

interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 20.20.20.2 255.255.255.0
!

!Default route towards ISP

Route outside 0.0.0.0 0.0.0.0 30.30.30.30

!Create a static NAT which translates 20.20.20.1 to 30.30.30.3

object network router_static
 host 20.20.20.1
nat (inside,outside) static 30.30.30.3

!Allow GRE traffic from R2 to R1. The ACL below is for ASA 8.3 and later.

access-list OUT-IN extended permit gre host 50.50.50.1 host 20.20.20.1
access-group OUT-IN in interface outside

NOTE:

The ACL created above is for ASA version 8.3 and later. For ASA version prior to 8.3 the ACL would be as following:

access-list OUT-IN extended permit gre host 50.50.50.1 host 30.30.30.3

This is because from ASA version 8.3 and later, any access-list statement must reference a “Real IP” address and not a “Mapped” IP address. From versions prior to 8.3, the opposite was true.

Now if you ping a host to LAN2 from LAN1 (and vica-versa) you should get ICMP replies.

Please note also that I have not configured any security protection on the GRE tunnel. If you want you can configure IPSEC on top of GRE in order to encrypt all data passing through the GRE tunnel.

Does Cisco ASA Support GRE Tunnel?

A lot of people keep asking if the ASA supports termination of GRE tunnel on the firewall device itself. Even the latest generation of ASA 5500-X series with the latest version of 9.x does not support termination of GRE on an ASA interface. 

As we have seen above, the ASA can allow GRE traffic to pass through it but the tunnel can’t be terminated on the ASA itself.

GRE is fully supported on Cisco routers and as I have said above, its better to protect the GRE tunnel with an IPSEC tunnel for security purposes. 

DOWNLOAD THIS TUTORIAL AS PDF FILE

Related Posts

Filed Under: Cisco Routers

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. LTLnetworker says

    It is a myth you have to adjust the MTU on the Tunnel interface. It is unnecessary. The router sets the IP MTU internally to 1476 to prevent oversizing anyway. “[If] the DF bit is set, and the datagram size (1500 bytes) is greater than the GRE tunnel IP MTU (1476), the router will drop the datagram and send an “ICMP fragmentation needed but DF bit set” message to the source of the datagram. The ICMP message will alert the sender that the MTU is 1476.”

    See http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml for the complete discussion.

  2. Blog Admin says

    Hi LTLnetworker,

    Thanks a lot for stopping by and leaving your comment. I didn’t know that you don’t have to adjust the MTU for GRE. I know you have to adjust it for MPLS networks so I thought would be required here as well. Thanks for sharing your knowledge.

    Harris

  3. Scott Sherman says

    How would the configuration look if you had an IPSec Tunnel between R2 and the ASA as well as the GRE between R2 and R1? Thank you.

  4. Blog Admin says

    Scott,

    You would have two different tunnels, one for GRE (just like the one we describe here) plus the IPSEC tunnel. However, why would you want to do that? I would suggest using GRE with IPSEC protection between the routers instead of terminating a different IPSEC tunnel on the ASA.

  5. Scott Sherman says

    R2 supports IPsec and R1 does not and we need to run BGP to support a diverse route from the Primary WAN connection. Therefore, can you support GRE over IPsec on R2 and have the IPSec terminate on the ASA and the GRE terminate on R1 to support BGP? Thank you.

  6. Blog Admin says

    Scott,

    I believe you can, although I haven’t tested it. You can have IPSEC between R2-ASA and the interesting traffic inside IPSEC must be GRE. So you would configure a VPN ACL on R2 and ASA which will allow GRE traffic to pass inside the IPSEC tunnel. This should work.

    Harris

  7. Arafet says

    Please can I config a GRE tunnel between ASA (5512-x) and a remote cisco router for Multicast traffic?

  8. Harris Andrea says

    Arafet,

    Unfortunately Cisco ASA does not support GRE tunnel terminated on the device itself. You can not configure a GRE tunnel between ASA and router. You need to have two routers.

    Harris

  9. Song says

    Thanks Harris for sharing the idea of creating a GRE tunnel from a device behind ASA. In today’s environment, we definitely do not want to create a GRE tunnel directly between two devices using public IP addresses. Instead of, we can create a site to site VPN tunnel as you mentioned in the discussion between R2 and ASA and allow the traffic only between the two loopback interfaces create on R1 and R2. By using the loopback inerfaces as the GRE tunnel end point, it can simplify the tunnel configuration and accomplish tasks without jeopardize network security

  11. Mike Christiaens says

    This set up works with IPSEC over GRE? Do you need to add anything ACL wise to make sure the GRE tunnel with IPSEC get passed through the firewall?

  12. Harris Andrea says

    Yes it will work with IPSEC over GRE as well. You will need to allow IPSEC protocols through the ASA outside ACL (ESP, AH, UDP 500).

    Harris

  13. capricorn says

    I am doing similar lab in GNS3. I can see traffic when I ping from inside to outside (Proto 47) but when I ping from outside to inside then I dont see any traffic on CISCO ASA. I have setup a capture on outside for gre and icmp. My ping is not working from inside to out or out to in.

    It looks like ASA is not seeing gre traffic when it comes back from outside. I have debug on outside router and when I ping from inside I can see that traffic arrives on outside routere.

    Any tip?

  16. capricorn says

    I wish you have mentioned IPsec for the same scenario because I am not able to implement it. The IPsec you mentioned above is for different scanrio.

    and again thanks for this config as it helped :).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

BLOGROLL

Tech21Century
Firewall.cx