GRE and Access Lists
GRE is a protocol on the same level as TCP and UDP. When configuring a firewall to
allow GRE, you do not configure a port like you would for telnet or SSH. Instead, you must
configure the firewall to allow protocol 47. Cisco routers offer the keyword gre
when configuring access lists:
R1(config)#access-list 101 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
igrp Cisco's IGRP routing protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
tcp Transmission Control Protocol
udp User Datagram Protocol
PIX firewalls also support the keyword gre
:
PIX(config)#access-list In permit gre host 10.10.10.10 host 20.20.20.20
The Point-to-Point Tunneling Protocol (PPTP) uses GRE, so if you're using this protocol for VPN access, you will need to allow GRE on your firewall.
Get Network Warrior now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.