Introduction
This sample configuration shows how to configure generic routing encapsulation (GRE) over IP Security (IPSec) where the GRE/IPSec tunnel is going through a firewall doing Network Address Translation (NAT).
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
This kind of configuration could be used to tunnel and encrypt traffic that normally would not go through a firewall, such as IPX (as in our example here) or routing updates. In this example, the tunnel between the 2621 and the 3660 only works when traffic is generated from devices on the LAN segments (not an extended IP/IPX ping from the IPSec routers). IP/IPX connectivity was tested with IP/IPX ping between devices 2513A and 2513B.
Note: This does not work with Port Address Translation (PAT).
Components Used
The information in this document is based on the software and hardware versions below.
-
Cisco IOS® 12.4
-
Cisco PIX Firewall 535
-
Cisco PIX Firewall Software Release 7.x and later
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: To find additional information on the commands used in this document, use the Command Lookup Tool (registered customers only) .
IOS Configuration Note: With Cisco IOS 12.2(13)T and later codes (higher numbered T-train codes, 12.3 and later codes) the configured IPSEC "crypto map" only needs to be applied to the physical interface and is no longer required to be applied on the GRE tunnel interface. Having the "crypto map" on the physical and tunnel interface when using the 12.2.(13)T and later codes still works. However, it is highly recommended to apply it just on the physical interface.
Network Diagram
This document uses the network setup shown in the diagram below.
Note: The IP addresses used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses that have been used in a lab environment.
Network Diagram Notes
-
GRE tunnel from 10.2.2.1 to 10.3.3.1 (IPX network BB)
-
IPSec tunnel from 10.1.1.2 (10.99.99.12) to 10.99.99.2
Configurations
Device 2513A |
---|
ipx routing 00e0.b064.20c1 |
2621 |
---|
version 12.4 |
PIX |
---|
pixfirewall# sh run |
3660 |
---|
version 12.4 |
Device 2513B |
---|
ipx routing 00e0.b063.e811 |
Verify
This section provides information you can use to confirm your configuration is working properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only) , which allows you to view an analysis of show command output.
-
show crypto ipsec sa - Shows the phase 2 security associations.
-
show crypto isakmp sa - Shows the current active encrypted session connections for all crypto engines.
-
Optionally: show interfaces tunnel number - Shows tunnel interface information.
-
show ip route - Shows all static IP routes, or those installed using the AAA (authentication, authorization, and accounting) route download function.
-
show ipx route - Shows the contents of the IPX routing table.