Pix 515 to Linksys befvp41 v2 VPN Tunnel


Utilizing information from the experts here at this site, I have setup a 515 that I can establish a split_tunnel to using the Cisco VPN client without a problem. I have also been able to establish a “Connected” status to the 515 with a Linksys befvp41 version 2. But when connected via the befvp41 I cannot see the remote network I am supposedly connected to. This is not a problem when I connect to the same remote network with the Cisco client from the same location through the same Linksys befvp41 V2 router.

The befvp41 is running firmware 1.00.12

Summary 515 config:

PIX Version 6.2(2)
access-list inet permit icmp any any echo-reply
access-list inet deny tcp any any eq 135
access-list inet deny tcp any any eq netbios-ssn
access-list inet deny tcp any any eq 445
access-list inet deny tcp any any eq 593
access-list inet deny udp any any eq 135
access-list inet deny udp any any eq netbios-ns
access-list inet deny udp any any eq netbios-dgm
access-list inet deny udp any any eq 445

access-list NO_NAT permit ip

access-list split_tunnel_acl permit ip any

ip address outside <outside_ip>
ip address inside
ip local pool ippool

global (outside) 1 <public_ip> netmask

nat (inside) 0 access-list NO_NAT
nat (inside) 1 0 0

access-group inet in interface outside

route outside <gateway_ip>

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

sysopt connection permit-ipsec
no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set split_tunnel_acl-set esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set ESP-DES-MD5
crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map linksys 20 ipsec-isakmp
crypto map linksys 20 match address split_tunnel_acl
crypto map linksys 20 set peer<Linksys_ip>
crypto map linksys 20 set transform-set split_tunnel_acl-set
crypto map linksys interface outside

isakmp enable outside
isakmp key lammo_pw address <linksys_ip> netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 1
isakmp policy 15 lifetime 1000

vpngroup TEST address-pool ippool
vpngroup TEST wins-server <inside_ip>
vpngroup TEST split-tunnel split_tunnel_acl
vpngroup TEST idle-time 1800
vpngroup TEST password lammo_password

Any help would be greatly appreciated. The timeframe for getting this working is why I have set the points where they are. If this is not appropriate, someone please let me know. This is the first question I have posted here.

Thanks in advance
Who is Participating?

Improve company productivity with a Business Account.Sign Up

lrmooreConnect With a Mentor Commented:
Did you change this
>access-list LINKSYS_LAN permit ip 192.168.XX.0

To this:
access-list LINKSYS_LAN permit ip

It's never a good thing to try to turn a class C network into class A by changing the mask.
There are registered IP's within your mask that you may need to get to one day.
The private range only covers 192.168.x.x /
But, as long as there is no overlap with the LAN on the remote site, it should not affect your VPN tunnel.

on the pix, use "show cry is sa" and "show cry ip sa"

Is your PIX's inside interface the default gateway on your inside LAN?
The host that you are trying to access from needs to know that to get to the 10.10.10.x network, it must use the PIX as the gateway.

>access-list NO_NAT permit ip

This is good for the traffic between your LAN and your clients.
Try adding another line for the LAN that is behind the Linksys (make sure it is NOT, same as yours)

I would expect this to be a host netmask:
>isakmp key lammo_pw address <linksys_ip> netmask
isakmp key lammo_pw address <linksys_ip> netmask
You have two separate crypto maps. As you have seen, you can only apply one at a time.

Suggest doing both with one crypto map (different priority #):
access-list LINKSYS_LAN permit ip 192.168.XX.0
                                                 Use appropriate LAN subnet  ^^^^^

crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map CRYMAP 20 ipsec-isakmp
crypto map CRYMAP 20 match address LINKSYS_LAN
crypto map CRYMAP 20 set peer<Linksys_ip>
crypto map CRYMAP 20 set transform-set split_tunnel_acl-set
crypto map CRYMAP interface outside

SactoCalAuthor Commented:

Thanks for responding. I have made the changes you suggested and now can no longer achieve a connected status on the Linksys. I am no worse off at this point tho, as I can still connect with client software. The Linksys log gives an INVALID-EXCHANGE-TYPE message after trying to connect.

Further suggestions???  I am considering just purchasing a Cisco SOHO 91 router and be done with it.

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Your ISAKMP policies need to match all settings on the Linksys
DES encryption
MD5 hash
Group x key exchange

Else, try removing this line
>crypto map CRYMAP client configuration address initiate
SactoCalAuthor Commented:

ISAKMP policy 15 matches the linksys setup.
I removed:
>crypto map CRYMAP client configuration address initiate
and can once again get a "Connected" status, but still no traffic across the supposed tunnel.

The inside private address behind the pix I am actually using is, does this create a problem? I have 4 subnets, and behind the pix. The private address behind the Linksys is

Is there a simple way to view the tunnel status on the PIX side?
SactoCalAuthor Commented:

Yes, I had changed the acl for LINKSYS_LAN to reflect the correct ip's.   On the IP address issue, yes, I know the range is actually not private. I plan to resolve that someday, but as you stated, no issue right now for us.

When you asked if the PIX is the default gateway, you hit it on the head.  The pix resides between two other Cisco routers. Our internet router and a point-point frame WAN router.  Our default gateway is set to a private address on the frame router as opposed to the inside private address of the PIX.  When I looked at our inside frame router, there was a route entry pointing the network to our DMZ interface which is not being utilized. Once I deleted that entry, everything fell into place.

I cannot thank you enough lrmoore. Maybe you can answer one last question, I had noticed before when I was able to get a "Connected" status, the connection would eventually fail and I would not be able to connect again from the Linksys unless I did a "Save Settings" on the VPN page. What this accomplished I do not know, but then the connection woudl re-establish itself. Do you have any insight into this? I know could be patient and see if it is resolved, but I thought I would ask.


It probably timed out without any real traffic on it and the save settings simply reset the timer..
Best guess, anyway..

Glad to help!
I am wanting to do exactly the same as above except in a simpler enrivonment.

I have a PIX515E which we use Cisco VPN software with sucessfully, but I have a the same linksys box above and am trying to do the same - is there a simple way to configure from scratch? - we only have a single subnet at the PIX end.

Also, is it possible to make the 4 port's on the back of the linksys pass-through to our network via the VPN so someone could lift say, a printer from our head office network, take it to remote site and it would still work using DHCP etc?

To make it slightly more complicated, the ISP on the linksys end implements some firewalling - to get the VPN to work properly in both directions what static routes need to be opened on what ports?

Many thanks- you guys here are excellent!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.