One question I’ve been asked is can you terminate a GRE tunnel on a Cisco firewall? and the answer is no! What you can do is use the ASA for encrypting the traffic and here’s how you do it.
This scenario below could be used for creating a backup link on your WAN routers in fact I’ve seen this done on many networks, used along with IPSLA this might just save your life when your WAN link takes a nosedive.
Create a simple GRE tunnel and source this from a loopback and make the destination the other ends loopback just like below.
Router 1
interface Loopback10
ip address 10.255.255.254 255.255.255.255
interface Tunnel10
description GRE —> to R2
bandwidth 4500
ip address 10.200.200.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1300
keepalive 10 3
tunnel source 10.255.255.254
tunnel destination 10.255.255.253
Router 2
interface Loopback10
ip address 10.255.255.253 255.255.255.255
interface Tunnel10
description GRE —> R1
bandwidth 4500
ip address 10.200.200.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1300
keepalive 10 3
tunnel source 10.255.255.253
tunnel destination 10.255.255.254
Once this is complete you have to make sure there are routes available to route to the loopback address’s from each router so if your WAN link routes one way its more likely you will want to route this towards your firewall and do the same for the other end if this doesn’t hit your firewall your tunnel wont come up.
for example “ip route 10.255.255.254 255.255.255.255 (ip address of your internal default gateway which leads to firewall encrypting the tunnel)
Next what you want to do is configure the firewall one thing i always do when setting up changes on my firewall is to plan, plan and plan again
Remember – Objects / Groups, Routing, NAT, ACL’s, Crypto / Tunnel groups, if you make sure you’ve made all the correct configurations in the list your tunnel will come up no problems.
As you can see from my GRE tunnel I am sourcing from a loopback and destination is a loopback there are 2 reasons behind this 1. A loopback is a virtual interface so can’t go down therefore keeping your tunnel up, 2. That’s the only address’ I need to include in my interesting traffic on my crypto-maps and ACL’s, any other traffic source or destination is encapsulated within the tunnel and the firewall doesn’t need to be configured to allow it.
Below is a sample config of encrypting the tunnel from the Router 2 side, it’s basically the same as creating a normal L2L tunnel and encrypting the traffic, and is the same on the other side just reverse the source and destination.
Objects
————-
name 10.255.255.253 R2_Loopback
name 10.255.255.254 R1_Loopback
Routing
————-
route Inside R2_Loopback 255.255.255.255 (send route towards Router loopback) 1
ACL’s
————-
access-list inside_access_in extended permit ip host R2_Loopback host R1_Loopback
access-list outside_access_in extended permit ip host R1_Loopback host R2_Loopback
NAT Exempt
————-
access-list inside_nat0_outbound extended permit ip host R2_Loopback host R1_Loopback
Crypto / Tunnel group
———————–
access-list outside_cryptomap_1 extended permit ip host R2_Loopback host R1_Loopback
crypto map outside_map 200 set peer (external IP of peer firewall)
crypto map outside_map 200 set transform-set AES-192-SHA
tunnel-group (external IP of peer Firewall) type ipsec-l2l
tunnel-group (external IP of peer Firewall) ipsec-attributes
pre-shared-key *****
Hope this helps all you people out there it certainly helped me when my WAN link went down………. the beauty of using a GRE tunnel means you can send any traffic you want through it the firewall doesn’t care, and yes even run routing protocols like EIGRP or OSPF.
This blog assumes you at least know your way around a router and firewall, I recommend you build a lab and test this on lab equipment before using in a live environment. I accept no responsibility if you decide to do this on live equipment and bring your data centre down 🙂
Remember always save your configuration
RH
all-things-networking 
I’m more than happy to uncover this site. I
want to to thank you for ones time due to this wonderful read!!
I definitely appreciated every little bit of it and i also have you book-marked to check out new information on your site.
Very helpful thank you for the write up!
Thanks alot but still something is left in my mind. Is this GRE over IPSEC? I dont see any phase 1 configuration
Hey thanks for the reply…. you are correct no phase 1 listed, for the phase one you would write the command crypto isakmp policy 1 ….. authentication x x x, encrpytion x x x … etc. On the ASA you multiple phase one proposals, as long as they both agree on one.
For the purpose of this document we are encrypting the GRE traffic between the 2 endpoints. Phase 1 was not the point in this document.
Anyway its really old …. use the X series ASA.
Hi!
Thanks for you quick reply. I am trying to achieve the following.
MyRouter (tunnel interface) and interface connecting to ASA—– ASA (Running IPsec) —- Internet—– other side (Running some server and we only have the phase 1 and phase details and public IP)
So MyRouter has tunnel interface and interface connected directly to ASA. The other side of the Internet we just got the phase 1 and phase 2 proposal.
I am trying to simulate this as well
Router1(Tunnel Interface) —- ASA (Ipsec)——- Customer(Running IPsec) and Tunnel interface.
The tunnel interface are not coming up. If I ping from Router1 to Customer then the traffic is passing means the IPSec negotiation is not happening.
Sorry but this is not enough information for me to help you. Have you set source and destination for the tunnel?