One question I’ve been asked is can you terminate a GRE tunnel on a Cisco firewall? and the answer is no! What you can do is use the ASA for encrypting the traffic and here’s how you do it.

Capture

This scenario below could be used for creating a backup link on your WAN routers in fact I’ve seen this done on many networks, used along with IPSLA this might just save your life when your WAN link takes a nosedive.

Create a simple GRE tunnel and source this from a loopback and make the destination the other ends loopback just like below.

Router 1

interface Loopback10
ip address 10.255.255.254 255.255.255.255

interface Tunnel10
description GRE —> to R2
bandwidth 4500
ip address 10.200.200.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1300
keepalive 10 3
tunnel source 10.255.255.254
tunnel destination 10.255.255.253

Router 2

interface Loopback10
ip address 10.255.255.253 255.255.255.255

interface Tunnel10
description GRE —> R1
bandwidth 4500
ip address 10.200.200.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1300
keepalive 10 3
tunnel source 10.255.255.253
tunnel destination 10.255.255.254

Once this is complete you have to make sure there are routes available to route to the loopback address’s from each router so if your WAN link routes one way its more likely you will want to route this towards your firewall and do the same for the other end if this doesn’t hit your firewall your tunnel wont come up.

for example “ip route 10.255.255.254 255.255.255.255 (ip address of your internal default gateway which leads to firewall encrypting the tunnel)
Next what you want to do is configure the firewall one thing i always do when setting up changes on my firewall is to plan, plan and plan again

Remember – Objects / Groups, Routing, NAT, ACL’s, Crypto / Tunnel groups, if you make sure you’ve made all the correct configurations in the list your tunnel will come up no problems.

As you can see from my GRE tunnel I am sourcing from a loopback and destination is a loopback there are 2 reasons behind this 1. A loopback is a virtual interface so can’t go down therefore keeping your tunnel up, 2. That’s the only address’ I need to include in my interesting traffic on my crypto-maps and ACL’s, any other traffic source or destination is encapsulated within the tunnel and the firewall doesn’t need to be configured to allow it.

Below is a sample config of encrypting the tunnel from the Router 2 side, it’s basically the same as creating a normal L2L tunnel and encrypting the traffic, and is the same on the other side just reverse the source and destination.

Objects
————-
name 10.255.255.253 R2_Loopback
name 10.255.255.254 R1_Loopback

Routing
————-
route Inside R2_Loopback 255.255.255.255 (send route towards Router loopback) 1

ACL’s
————-
access-list inside_access_in extended permit ip host R2_Loopback host R1_Loopback
access-list outside_access_in extended permit ip host R1_Loopback host R2_Loopback

NAT Exempt
————-
access-list inside_nat0_outbound extended permit ip host R2_Loopback host R1_Loopback

Crypto / Tunnel group
———————–
access-list outside_cryptomap_1 extended permit ip host R2_Loopback host R1_Loopback

crypto map outside_map 200 set peer (external IP of peer firewall)
crypto map outside_map 200 set transform-set AES-192-SHA

tunnel-group (external IP of peer Firewall) type ipsec-l2l
tunnel-group (external IP of peer Firewall) ipsec-attributes
pre-shared-key *****

Hope this helps all you people out there it certainly helped me when my WAN link went down………. the beauty of using a GRE tunnel means you can send any traffic you want through it the firewall doesn’t care, and yes even run routing protocols like EIGRP or OSPF.

This blog assumes you at least know your way around a router and firewall, I recommend you build a lab and test this on lab equipment before using in a live environment. I accept no responsibility if you decide to do this on live equipment and bring your data centre down 🙂

Remember always save your configuration
RH

Advertisements