Question

Cisco Pix 506E to Linksys BEFVP41 VPN Tunnel

Asked by: markwel

We have six remote offices that we want to VPN back to our central office. The central office location has a T1 with an Adtran Netvanta 3200 Router and Cisco Pix 506E v6.3(3). We also use ISA 2004 located on a Small Business Server 2003 R2. The remote offices all have DSL(6mB/512mB), smallest office will have 6 people largest will have around 10-12. We want to use the Linksys BEFVP41 at each location to establish a VPN tunnel to the central office Pix. We also want to add a Windows 2003 R2 server to each location which will be added as a member server to the central office domain.

I have setup the PIX and the Linksys for this to work. Right now on the BEFVP41 side under VPN it shows "CONNECTED". In the log on the BEFVP41 it sows "Set up ESP tunnel with xx.xxx.xx.xxx Sucess!" But, I cannot ping any IP's on the central office LAN or vise versa. Has anyone done this successfully? What am I doing wrong.....

Thanks for the help.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-04-17 at 07:10:49ID23330903
Tags

Cisco/Linksys

,

BEFVP41 and Cisco Pix 506E

,

Pix

,

VPN Tunnel

Topics

Virtual Private Networking (VPN)

,

Cisco PIX Firewall

Participating Experts
1
Points
20
Comments
21

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco PIX and Linksys VPN
    I have 2 Linksys VPN one in our office and one in the remote site. The Linksys VPN that is in our office is located behind the PIX firewall and the remote VPN is connected to a Cable Modem. I setup the VPN between the 2 Linksys and I can see from the Linksys GUI interface t...
  2. Cisco Pix 515e VPN config with Linksys VPN router
    Dear Sirs, I'm a beginner on it, I would like to set the site-to-site VPN, I would like to check the compatability with Cisco Pix 515e and Linksys VPN router, and may I set the VPN tunnel for pop3 and smtp service only (not port 80) Linksys VPN router info : model : BEFVP4...
  3. ISA-Server as VPN tunnel endpoint behind a Cisco Pix fire…
    Hi, we use a Cisco Pix 515 (6.3) as a front-end firewall directly connected to the internet (public IP). On the internal interface of the Pix there is a DMZ network (192.168.1.0/24). And then we have an ISA-Server (ISA 2006 Standard) as a back-end firewall with one network...
  4. Creating VPN Tunnel on Cisco Pix 515e
    I installed a Linksys BEFVP41 on a network and set up VPN on it. I need to create a site-to-site VPN tunnel from that network to another network that is using a Cisco Pix 515e. How do I go about doing that? Thank you
  5. Pix to Linux VPN
    I want to create a VPN between two offices. On one side I've got a Cisco PIX 506 6.3(5) and on the other side I've got a Linksys router running DD-WRT v23 SP2. Linux distribution I know that DD-WRT can do some PPTP type tunnels. Has anyone created a point-to-point VPN betw...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: SplinterCell5894Posted on 2008-04-17 at 07:15:07ID: 21377273

I've set up a tunnel between the BEFVP41 and a PIX 515.  My experience has been that if the Linksys shows connected, then you probably are.

So, at this point, I'd take a look at the following:

1. Are your routing tables set up correctly?
2. Can you ping the inside interface of the Linksys from the Cisco ("ping inside w.x.y.z")?
3. Have you defined the traffic to travel across the tunnel correctly?
4. Have you excluded that same traffic from NAT?

That's where I'd start.

Also, feel free to post the (sanitized) "show run" from your PIX and you can attach screen shots of the Linksys.

<-=+=->

 

by: markwelPosted on 2008-04-17 at 07:49:08ID: 21377668

Cannot ping either direction. How do I setup the traffic to travel across the tunnel? How do I exclude the same traffic from NAT? On the routing tables, how do I know there set correctly?

The inside Ip of the Linksys side LAN is 192.168.0.58. Could this be something in ISA 2004? Should I have an access rule to allow all VPN traffic/protocols?

I have attached running config from Pix and screen shots from Linksys.

Thanks.....

 

by: SplinterCell5894Posted on 2008-04-17 at 08:00:38ID: 21377820

To set up the traffic to travel across the tunnel, you need to configure an ACL on the PIX which will identify the source and destination networks.  You've done this in your "outside_cryptomap_10" ACL.

To specify that traffic will not use NAT on the PIX, you set up another ACL with the source and destination networks, and then you use the "nat 0" command.  You've done this with the "inside_outbound_nat0_acl" ACL and the "nat (inside) 0 access-list inside_outbound_nat0_acl" command.

On the Linksys, it doesn't really give you any of those options.  You simply tell it what your local LAN is ("Local Secure Group") and what your remote LAN is ("Remote Secure Group") and then set up the tunnel stuff.  The problem with the Linksys is that you can only specify one remote LAN.  Since you've defined 10.0.0.0/24, that's the only network you can communicate with.  The PIX ACLs also identify 192.168.1.0/24 as a network that should communicate with the Linksys LAN, but that won't happen because the Linksys will not be able to send traffic back across the tunnel for 192.168.1.0/24 because it doesn't have the capability of identifying multiple networks for the remote side.

From what I can see, your basic config looks okay.  I would think you could ping the Linksys inside interface (192.168.0.58, I think) from the PIX.  To do this, though, you must specify the interface on the PIX from which the traffic should initiate.  The command would be "ping inside 192.168.0.58".

Where does the ISA server phyiscally sit in all of this?

<-=+=->

 

by: markwelPosted on 2008-04-17 at 08:13:40ID: 21378000

When trying to ping 192.168.0.58(Linksys) from the PIX I get a NO RESPONSE.

The ISA server is located on a Small Business Server 2003 inside the local LAN on the PIX side.

Appreciate your help.

 

by: SplinterCell5894Posted on 2008-04-17 at 08:28:36ID: 21378209

So, the ISA server should not be a factor in this.  I'm assuming that the network on the other side of the ISA server is the 192.168.1.0/24 segment and it's "outside" interface is 10.0.0.0/24?

What happens if you try to ping a 10.0.0.0/24 address (not the PIX inside interface) from a 192.168.0.0/24 address (not the Linksys) and vice versa?  Same thing?

<-=+=->

 

by: markwelPosted on 2008-04-17 at 08:40:07ID: 21378341

That is correct on the ISA outside interface. The ISA inside is 192.168.1.0/24 and the outside is 10.0.0.0/24.

So in order to ping the ip you say I would need to do this from a machine inside the 192.168.0.58 LAN(Linksys side)?

 

by: SplinterCell5894Posted on 2008-04-17 at 08:47:55ID: 21378421

Well, I'm just thinking that it would be nice to see what happens if devices other than the VPN termination points are used to test traffic.

Also, what happens when you do a tracert from a Windows box on one of the networks?  That sort of thing.

<-=+=->

 

by: markwelPosted on 2008-04-17 at 09:04:04ID: 21378594

Can't ping 10.0.0.0./24 addresses from the Linksys side LAN PC's.  Also, when doing a tracert of 10.0.0.x from the Linksys side PC's I get a "Request timed out"

 

by: SplinterCell5894Posted on 2008-04-17 at 09:08:30ID: 21378647

Where does the tracert die?  At 192.168.0.58?

<-=+=->

 

by: markwelPosted on 2008-04-17 at 12:27:22ID: 21380495

When I do a tracert for 10.0.0.x from a PC on the Linksys side it dies immediately on the first hop.

 

by: markwelPosted on 2008-04-17 at 12:29:53ID: 21380521

Same thing when doing a tracert for 192.168.0.58 from a PC on the PIX side..."Request timed out" on the first hop.

 

by: SplinterCell5894Posted on 2008-04-17 at 12:46:33ID: 21380651

I'd try removing the following command from your PIX:
access-list outside_cryptomap_10 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

I mean, the Linksys isn't going to send traffic that way anyway because it can only list one network (10.0.0.0/24) as a destination.  So, there's really no reason to define that in the PIX's ACL.  You can use the same list, by the way, for the nat (inside) 0 line as well instead of creating a second one (inside_outbound_nat0_acl).

It's a shot in the dark, but I'm hoping that since the lists don't match, it's causing a problem (althought I doubt it).

I'm looking at the configs again to see what I can see.  They look pretty good.

Silly question, but the machines that you're using to test... the default gateway is pointed to the PIX inside interface or the Linksys inside interface, right?

<-=+=->



 

by: markwelPosted on 2008-04-17 at 12:54:10ID: 21380705

Ok...I'll try that and post my findings. The default gateway of the PC's on the PIX side is 192.168.1.x.(The IP of the SBS2K3 Server where ISA 2004 resides)  The gateway on the Linksys side PC's is 192.168.0.58(That of the Linksys BEFVP41). The SBS2K3 server is the domain controller on our LAN.

 

by: markwelPosted on 2008-04-17 at 13:07:06ID: 21380810

Removed

access-list outside_cryptomap_10 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

Had no affect. Did a ping from the PIX, timed out. The remote location(Linksys side) is just down the block from me and since removing the ACL I haven't been able to go there and check to make sure I'm still connected to the VPN. I'll let you know once I'm down there.

 

by: SplinterCell5894Posted on 2008-04-17 at 13:07:15ID: 21380812

So, you're pinging from inside the ISA server's network?

<-=+=->

 

by: markwelPosted on 2008-04-17 at 13:12:48ID: 21380868

I tried pinging from inside the ISA servers network and directly from the PIX itself with the same results. I tried to ping 192.168.0.58 from inside the ISA's network and directly from the PIX, both timed out. Tracert died on first HOP.

 

by: SplinterCell5894Posted on 2008-04-17 at 13:17:28ID: 21380918

Well, it's not going to work from inside the ISA server's network at all.  The reason why is because the Linksys is only sending 10.0.0.0/24 traffic (presumably) across the tunnel.  192.168.1.0/24 traffic is not going across the tunnel because that's not defined as the "Remote Secure Group".  So, the Linksys does not know that it's supposed to send traffic for that network across the tunnel.

Does that make sense?

<-=+=->

 

by: markwelPosted on 2008-04-17 at 13:21:31ID: 21380958

Makes sense...but shouldn't be able to ping 192.168.0.58(the Linksys side) directly from the PIX?

Anyway...how can I get this going? If I can get one of these up the other five will be a piece of cake.

Thanks again for your help.

 

by: SplinterCell5894Posted on 2008-04-17 at 13:23:41ID: 21380978

Yeah.  You should be able to.  To be honest, I'm not sure why you can't.  I mean, the configs look okay to me.

Let me dig around and see what I can find out.

<-=+=->

 

by: markwelPosted on 2008-04-17 at 13:25:23ID: 21380994

Really appreciate your input/time on this.

 

by: markwelPosted on 2008-04-21 at 04:54:54ID: 21400611

Anyone else able to help on this?

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...