Pix 515 to Linksys befvp41 v2 VPN Tunnel

Posted on 2004-03-27
Medium Priority
Last Modified: 2013-11-16

Utilizing information from the experts here at this site, I have setup a 515 that I can establish a split_tunnel to using the Cisco VPN client without a problem. I have also been able to establish a “Connected” status to the 515 with a Linksys befvp41 version 2. But when connected via the befvp41 I cannot see the remote network I am supposedly connected to. This is not a problem when I connect to the same remote network with the Cisco client from the same location through the same Linksys befvp41 V2 router.

The befvp41 is running firmware 1.00.12

Summary 515 config:

PIX Version 6.2(2)
access-list inet permit icmp any any echo-reply
access-list inet deny tcp any any eq 135
access-list inet deny tcp any any eq netbios-ssn
access-list inet deny tcp any any eq 445
access-list inet deny tcp any any eq 593
access-list inet deny udp any any eq 135
access-list inet deny udp any any eq netbios-ns
access-list inet deny udp any any eq netbios-dgm
access-list inet deny udp any any eq 445

access-list NO_NAT permit ip

access-list split_tunnel_acl permit ip any

ip address outside <outside_ip>
ip address inside
ip local pool ippool

global (outside) 1 <public_ip> netmask

nat (inside) 0 access-list NO_NAT
nat (inside) 1 0 0

access-group inet in interface outside

route outside <gateway_ip>

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable

sysopt connection permit-ipsec
no sysopt route dnat

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set split_tunnel_acl-set esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set ESP-DES-MD5
crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map linksys 20 ipsec-isakmp
crypto map linksys 20 match address split_tunnel_acl
crypto map linksys 20 set peer<Linksys_ip>
crypto map linksys 20 set transform-set split_tunnel_acl-set
crypto map linksys interface outside

isakmp enable outside
isakmp key lammo_pw address <linksys_ip> netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 1
isakmp policy 15 lifetime 1000

vpngroup TEST address-pool ippool
vpngroup TEST wins-server <inside_ip>
vpngroup TEST split-tunnel split_tunnel_acl
vpngroup TEST idle-time 1800
vpngroup TEST password lammo_password

Any help would be greatly appreciated. The timeframe for getting this working is why I have set the points where they are. If this is not appropriate, someone please let me know. This is the first question I have posted here.

Thanks in advance
Question by:SactoCal
  • 4
  • 3
LVL 79

Expert Comment

ID: 10699080
>access-list NO_NAT permit ip

This is good for the traffic between your LAN and your clients.
Try adding another line for the LAN that is behind the Linksys (make sure it is NOT, same as yours)

I would expect this to be a host netmask:
>isakmp key lammo_pw address <linksys_ip> netmask
isakmp key lammo_pw address <linksys_ip> netmask
You have two separate crypto maps. As you have seen, you can only apply one at a time.

Suggest doing both with one crypto map (different priority #):
access-list LINKSYS_LAN permit ip 192.168.XX.0
                                                 Use appropriate LAN subnet  ^^^^^

crypto map CRYMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYMAP client configuration address initiate
crypto map CRYMAP 20 ipsec-isakmp
crypto map CRYMAP 20 match address LINKSYS_LAN
crypto map CRYMAP 20 set peer<Linksys_ip>
crypto map CRYMAP 20 set transform-set split_tunnel_acl-set
crypto map CRYMAP interface outside


Author Comment

ID: 10700919

Thanks for responding. I have made the changes you suggested and now can no longer achieve a connected status on the Linksys. I am no worse off at this point tho, as I can still connect with client software. The Linksys log gives an INVALID-EXCHANGE-TYPE message after trying to connect.

Further suggestions???  I am considering just purchasing a Cisco SOHO 91 router and be done with it.

LVL 79

Expert Comment

ID: 10700944
Your ISAKMP policies need to match all settings on the Linksys
DES encryption
MD5 hash
Group x key exchange

Else, try removing this line
>crypto map CRYMAP client configuration address initiate
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!


Author Comment

ID: 10703964

ISAKMP policy 15 matches the linksys setup.
I removed:
>crypto map CRYMAP client configuration address initiate
and can once again get a "Connected" status, but still no traffic across the supposed tunnel.

The inside private address behind the pix I am actually using is, does this create a problem? I have 4 subnets, and behind the pix. The private address behind the Linksys is

Is there a simple way to view the tunnel status on the PIX side?
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 10704162
Did you change this
>access-list LINKSYS_LAN permit ip 192.168.XX.0

To this:
access-list LINKSYS_LAN permit ip

It's never a good thing to try to turn a class C network into class A by changing the mask.
There are registered IP's within your mask that you may need to get to one day.
The private range only covers 192.168.x.x /
But, as long as there is no overlap with the LAN on the remote site, it should not affect your VPN tunnel.

on the pix, use "show cry is sa" and "show cry ip sa"

Is your PIX's inside interface the default gateway on your inside LAN?
The host that you are trying to access from needs to know that to get to the 10.10.10.x network, it must use the PIX as the gateway.


Author Comment

ID: 10704870

Yes, I had changed the acl for LINKSYS_LAN to reflect the correct ip's.   On the IP address issue, yes, I know the range is actually not private. I plan to resolve that someday, but as you stated, no issue right now for us.

When you asked if the PIX is the default gateway, you hit it on the head.  The pix resides between two other Cisco routers. Our internet router and a point-point frame WAN router.  Our default gateway is set to a private address on the frame router as opposed to the inside private address of the PIX.  When I looked at our inside frame router, there was a route entry pointing the network to our DMZ interface which is not being utilized. Once I deleted that entry, everything fell into place.

I cannot thank you enough lrmoore. Maybe you can answer one last question, I had noticed before when I was able to get a "Connected" status, the connection would eventually fail and I would not be able to connect again from the Linksys unless I did a "Save Settings" on the VPN page. What this accomplished I do not know, but then the connection woudl re-establish itself. Do you have any insight into this? I know could be patient and see if it is resolved, but I thought I would ask.


LVL 79

Expert Comment

ID: 10704938
It probably timed out without any real traffic on it and the save settings simply reset the timer..
Best guess, anyway..

Glad to help!

Expert Comment

ID: 10897548
I am wanting to do exactly the same as above except in a simpler enrivonment.

I have a PIX515E which we use Cisco VPN software with sucessfully, but I have a the same linksys box above and am trying to do the same - is there a simple way to configure from scratch? - we only have a single subnet at the PIX end.

Also, is it possible to make the 4 port's on the back of the linksys pass-through to our network via the VPN so someone could lift say, a printer from our head office network, take it to remote site and it would still work using DHCP etc?

To make it slightly more complicated, the ISP on the linksys end implements some firewalling - to get the VPN to work properly in both directions what static routes need to be opened on what ports?

Many thanks- you guys here are excellent!


Featured Post

Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question