Solved

Pix 515 to Linksys befvp41 v2 VPN Tunnel

Posted on 2004-03-27
8
3,186 Views
Last Modified: 2013-11-16
Greetings,

Utilizing information from the experts here at this site, I have setup a 515 that I can establish a split_tunnel to using the Cisco VPN client without a problem. I have also been able to establish a “Connected” status to the 515 with a Linksys befvp41 version 2. But when connected via the befvp41 I cannot see the remote network I am supposedly connected to. This is not a problem when I connect to the same remote network with the Cisco client from the same location through the same Linksys befvp41 V2 router.

The befvp41 is running firmware 1.00.12

Summary 515 config:

PIX Version 6.2(2)
access-list inet permit icmp any any echo-reply
access-list inet deny tcp any any eq 135
access-list inet deny tcp any any eq netbios-ssn
access-list inet deny tcp any any eq 445
access-list inet deny tcp any any eq 593
access-list inet deny udp any any eq 135
access-list inet deny udp any any eq netbios-ns
access-list inet deny udp any any eq netbios-dgm
access-list inet deny udp any any eq 445

access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list split_tunnel_acl permit ip 192.168.1.0 255.255.255.0 any

ip address outside <outside_ip> 255.255.255.0
ip address inside 192.168.1.254 255.255.255.0
ip local pool ippool 192.168.100.50-192.168.100.99

global (outside) 1 <public_ip> netmask 255.255.255.0

nat (inside) 0 access-list NO_NAT
nat (inside) 1 192.168.1.0 255.255.1.0 0 0

access-group inet in interface outside

route outside 0.0.0.0 0.0.0.0 <gateway_ip>

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

sysopt connection permit-ipsec
no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set split_tunnel_acl-set esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set ESP-DES-MD5
crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map linksys 20 ipsec-isakmp
crypto map linksys 20 match address split_tunnel_acl
crypto map linksys 20 set peer<Linksys_ip>
crypto map linksys 20 set transform-set split_tunnel_acl-set
crypto map linksys interface outside

isakmp enable outside
isakmp key lammo_pw address <linksys_ip> netmask 255.255.255.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 1
isakmp policy 15 lifetime 1000

vpngroup TEST address-pool ippool
vpngroup TEST wins-server <inside_ip>
vpngroup TEST split-tunnel split_tunnel_acl
vpngroup TEST idle-time 1800
vpngroup TEST password lammo_password

Any help would be greatly appreciated. The timeframe for getting this working is why I have set the points where they are. If this is not appropriate, someone please let me know. This is the first question I have posted here.

Thanks in advance
SactoCal
0
Comment
Question by:SactoCal
  • 4
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>access-list NO_NAT permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

This is good for the traffic between your LAN and your clients.
Try adding another line for the LAN that is behind the Linksys (make sure it is NOT 192.168.1.0, same as yours)

I would expect this to be a host netmask:
>isakmp key lammo_pw address <linksys_ip> netmask 255.255.255.0
isakmp key lammo_pw address <linksys_ip> netmask 255.255.255.255
                                                                                                ^^^
You have two separate crypto maps. As you have seen, you can only apply one at a time.

Suggest doing both with one crypto map (different priority #):
access-list LINKSYS_LAN permit ip 192.168.1.0 255.255.255.0 192.168.XX.0 255.255.255.0
                                                 Use appropriate LAN subnet  ^^^^^

crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map CRYMAP 20 ipsec-isakmp
crypto map CRYMAP 20 match address LINKSYS_LAN
crypto map CRYMAP 20 set peer<Linksys_ip>
crypto map CRYMAP 20 set transform-set split_tunnel_acl-set
crypto map CRYMAP interface outside



0
 
LVL 1

Author Comment

by:SactoCal
Comment Utility
lrmoore,

Thanks for responding. I have made the changes you suggested and now can no longer achieve a connected status on the Linksys. I am no worse off at this point tho, as I can still connect with client software. The Linksys log gives an INVALID-EXCHANGE-TYPE message after trying to connect.

Further suggestions???  I am considering just purchasing a Cisco SOHO 91 router and be done with it.

SactoCal
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Your ISAKMP policies need to match all settings on the Linksys
DES encryption
MD5 hash
Group x key exchange
lifetime

Else, try removing this line
>crypto map CRYMAP client configuration address initiate
0
 
LVL 1

Author Comment

by:SactoCal
Comment Utility
Ok,

ISAKMP policy 15 matches the linksys setup.
I removed:
>crypto map CRYMAP client configuration address initiate
and can once again get a "Connected" status, but still no traffic across the supposed tunnel.

The inside private address behind the pix I am actually using is 192.0.0.0 255.0.0.0, does this create a problem? I have 4 subnets, 192.0.0.0 and 192.168.2.0-192.168.4.0 behind the pix. The private address behind the Linksys is 10.10.10.0 255.255.255.0.

Is there a simple way to view the tunnel status on the PIX side?
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
Did you change this
>access-list LINKSYS_LAN permit ip 192.168.1.0 255.255.255.0 192.168.XX.0 255.255.255.0

To this:
access-list LINKSYS_LAN permit ip 192.0.0.0 255.0.0.0 10.10.10.0 255.255.255.0

It's never a good thing to try to turn a class C network into class A by changing the mask.
 <192.0.0.0 255.0.0.0
There are registered IP's within your mask that you may need to get to one day.
The private range only covers 192.168.x.x / 255.255.0.0
But, as long as there is no overlap with the LAN on the remote site, it should not affect your VPN tunnel.

on the pix, use "show cry is sa" and "show cry ip sa"

Is your PIX's inside interface the default gateway on your inside LAN?
The host that you are trying to access from needs to know that to get to the 10.10.10.x network, it must use the PIX as the gateway.


0
 
LVL 1

Author Comment

by:SactoCal
Comment Utility
Bingo!!!!

Yes, I had changed the acl for LINKSYS_LAN to reflect the correct ip's.   On the IP address issue, yes, I know the 192.0.0.0 range is actually not private. I plan to resolve that someday, but as you stated, no issue right now for us.

When you asked if the PIX is the default gateway, you hit it on the head.  The pix resides between two other Cisco routers. Our internet router and a point-point frame WAN router.  Our default gateway is set to a private address on the frame router as opposed to the inside private address of the PIX.  When I looked at our inside frame router, there was a route entry pointing the 10.10.10.0 network to our DMZ interface which is not being utilized. Once I deleted that entry, everything fell into place.

I cannot thank you enough lrmoore. Maybe you can answer one last question, I had noticed before when I was able to get a "Connected" status, the connection would eventually fail and I would not be able to connect again from the Linksys unless I did a "Save Settings" on the VPN page. What this accomplished I do not know, but then the connection woudl re-establish itself. Do you have any insight into this? I know could be patient and see if it is resolved, but I thought I would ask.

SactoCal

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
It probably timed out without any real traffic on it and the save settings simply reset the timer..
Best guess, anyway..

Glad to help!
0
 

Expert Comment

by:harveygroupplc
Comment Utility
I am wanting to do exactly the same as above except in a simpler enrivonment.

I have a PIX515E which we use Cisco VPN software with sucessfully, but I have a the same linksys box above and am trying to do the same - is there a simple way to configure from scratch? - we only have a single subnet at the PIX end.

Also, is it possible to make the 4 port's on the back of the linksys pass-through to our network via the VPN so someone could lift say, a printer from our head office network, take it to remote site and it would still work using DHCP etc?

To make it slightly more complicated, the ISP on the linksys end implements some firewalling - to get the VPN to work properly in both directions what static routes need to be opened on what ports?

Many thanks- you guys here are excellent!

Dave
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now