Solved

Site to Site VPN  Linksys BEFVP41 to Cisco Pix 506

Posted on 2004-04-11
22
2,676 Views
Last Modified: 2010-04-12
I have the above router and firewall, I would like to set up a Site to site connection between these two. I am not having much success. I am hoping that someone has acheived this feat and can help me.

Thanks in advance.
0
Comment
Question by:smnphoenix
  • 15
  • 6
22 Comments
 
LVL 1

Author Comment

by:smnphoenix
ID: 10803639
Adding pix config

Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password **************/ encrypted
passwd ***************/ encrypted
hostname Brookwood
domain-name brookwood.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.1.1.0 vpn_in
name 66.xx.xx.xxx Brandon
access-list outside_access_in permit tcp any host 68.xxx.xx.xxx eq smtp
access-list outside_access_in permit tcp any host 68.xxx.xx.xxx eq pop3
access-list outside_access_in permit tcp any host 68.xxx.xx.xxx eq www
access-list outside_access_in permit tcp host 12.xxx.xx.xx host  68.xxx.xx.xxx eq ssh
access-list outside_access_in permit tcp host 12.xxx.xx.xx host  68.xxx.xx.xxx eq telnet
access-list outside_access_in permit tcp host 12.xxx.xx.xxx host  68.xxx.xx.xxx eq telnet
access-list outside_access_in permit tcp host 12.xxx.xx.xxx host  68.xxx.xx.xxx eq ssh
access-list outside_access_in permit tcp interface outside host  68.xxx.xx.xxx eq ftp
access-list inside_outbound_nat0_acl permit ip 200.200.200.0 255.255.255.0 vpn_in

255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 200.200.200.0 255.255.255.0 vpn_in

255.255.255.0
access-list brkwd_split_tunnel permit ip any any
pager lines 24
logging standby
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 200.200.200.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_in 10.1.1.1-10.1.1.254
pdm location 67.xx.xxx.xx 255.255.255.224 outside
pdm location 64.xx.xxx.xx 255.255.255.255 outside
pdm location 64.xx.xxx.xx 255.255.255.255 outside
pdm location 67.xx.xxx.xx 255.255.255.255 outside
pdm location 64.xx.xxx.xx 255.255.255.255 outside
pdm location 64.xx.xxx.xx 255.255.255.255 outside
pdm location vpn_in 255.255.255.0 inside
pdm location 200.200.72.0 255.255.255.0 inside
pdm location 200.200.91.0 255.255.255.0 inside
pdm location 200.200.101.0 255.255.255.0 inside
pdm location 200.200.102.0 255.255.255.0 inside
pdm location 200.200.104.0 255.255.255.0 inside
pdm location 200.200.105.0 255.255.255.0 inside
pdm location 200.200.106.0 255.255.255.0 inside
pdm location 200.200.108.0 255.255.255.0 inside
pdm location 200.200.109.0 255.255.255.0 inside
pdm location 200.200.111.0 255.255.255.0 inside
pdm location 200.200.113.0 255.255.255.0 inside
pdm location 200.200.114.0 255.255.255.0 inside
pdm location 200.200.115.0 255.255.255.0 inside
pdm location 200.200.116.0 255.255.255.0 inside
pdm location 200.200.200.124 255.255.255.255 inside
pdm location 200.200.200.130 255.255.255.255 inside
pdm location 200.200.200.204 255.255.255.255 inside
pdm location 12.xxx.xx.xxx 255.255.255.255 outside
pdm location 12.xxx.xx.xxx 255.255.255.255 outside
pdm location 64xx.xxx.xx 255.255.255.224 outside
pdm location Brandon 255.255.255.255 outside
pdm location 68.xxx.xx.xxx 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 68.xxx.xx.xxx smtp 200.200.200.204 smtp netmask 255.255.255.255

0 0
static (inside,outside) tcp 68.xxx.xx.xxx pop3 200.200.200.204 pop3 netmask 255.255.255.255

0 0
static (inside,outside) tcp 68.xxx.xx.xxx www 200.200.200.204 www netmask 255.255.255.255 0

0
static (inside,outside) tcp 68.xxx.xx.xxx telnet 200.200.200.130 telnet netmask

255.255.255.255 0 0
static (inside,outside) tcp 68.xxx.xx.xxx ssh 200.200.200.130 ssh netmask 255.255.255.255 0

0
static (inside,outside) tcp 68.xxx.xx.xxx ftp 200.200.200.204 ftp netmask 255.255.255.255 0

0
access-group outside_access_in in interface outside
route inside 200.200.72.0 255.255.255.0 200.200.200.135 1
route inside 200.200.91.0 255.255.255.0 200.200.200.135 1
route inside 200.200.101.0 255.255.255.0 200.200.200.135 1
route inside 200.200.102.0 255.255.255.0 200.200.200.135 1
route inside 200.200.104.0 255.255.255.0 200.200.200.135 1
route inside 200.200.105.0 255.255.255.0 200.200.200.135 1
route inside 200.200.106.0 255.255.255.0 200.200.200.135 1
route inside 200.200.108.0 255.255.255.0 200.200.200.135 1
route inside 200.200.109.0 255.255.255.0 200.200.200.135 1
route inside 200.200.111.0 255.255.255.0 200.200.200.135 1
route inside 200.200.113.0 255.255.255.0 200.200.200.135 1
route inside 200.200.114.0 255.255.255.0 200.200.200.135 1
route inside 200.200.115.0 255.255.255.0 200.200.200.135 1
route inside 200.200.116.0 255.255.255.0 200.200.200.205 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http aa.aa.aaa.aa 255.255.255.255 outside
http 200.200.200.0 255.255.255.0 inside
http 200.200.200.124 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400
vpngroup brookwood address-pool vpn_in
vpngroup brookwood dns-server 200.200.200.204
vpngroup brookwood default-domain brookwood.local
vpngroup brookwood split-tunnel inside_outbound_nat0_acl
vpngroup brookwood idle-time 1800
vpngroup brookwood password ********
telnet 200.200.200.0 255.255.255.0 inside
telnet vpn_in 255.255.255.0 inside
telnet timeout 10
ssh aa.aa.aaa.aa 255.255.255.224 outside
ssh 200.200.200.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xxxx@xxxxxx.xxx
vpdn group pppoe_group ppp authentication pap
vpdn username greatfur@bellsouth.net password *********
terminal width 80
Cryptochecksum:
: end
[OK]
0
 
LVL 11

Expert Comment

by:ewtaylor
ID: 10805951
What errors are you recieving?  How do you have the linksys configured?
0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10806077
The linksys is setup like so

The tunnel on the linksys is set with the local ip and subnet and the remote ip and subnet. The ip address is set up to the ip for the remote outside address. The security method is 3DES MD5 ISAKMP. I used the vpn wizard on the pdm on the pix and was able to connect for a short period, but after doing this my access-list show them as being null. The pix then stopped everything else but the tunnel. I deleted all the entries that the wizard made. What I need to know is how to set up the pix without damaging any current configuration.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10868150
You're missing a pre-shared secret on the PIX, eg -

isakmp key 1234 address 0.0.0.0 netmask 0.0.0.0

Also, this line should be 3DES, not DES:

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

You should be able to alter both of these without service interruption !

I'm assuming at the Linksys end you have a pre-shared key setup, plus 3DES, MD5, ISAKMP ?

The local network at the Linksys will need to be 200.200.200.0 255.255.255.0 in order for the encryption networks to match up.

If you continue to have problems, on the PIX console, issue these:

debug cry isakmp
debug cry ipsec
term mon
'term no mon' to switch off
'no debug all' to switch debug off

..and post up the error messages you see.
It may be useful to leave a ping -t x.x.x.x running from a machine on one of the networks to a machine on the other, as the tunnel will need 2-way traffic to come up.
0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10868498
I will try those this evening, thanks.



0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10871463
Did as you suggested and the linksys router shows connected, but i cannot ping the remote site.
0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10871622
This is what shows on the linksys router

1. BM Connected
200.200.56.0 255.255.255.0
200.200.200.0
255.255.255.0
68.xxx.xxx.xxx
DES MD5 ISAKMP
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10876141
Hang on...

Is this right ?

10.1.1.0
Linksys
DHCP address (DSL)
|
Internet
|
DHCP address (DSL)
Cisco PIX
200.200.200.0

ie are you trying to create a VPN between two non-static IP addresses ?

On the linksys, the 'local secure group' should be 10.1.1.0 / 255.255.255.0
Remote secure group - Any
Remote security gateway - Any
Encryption - 3DES / MD5
Key management - IKE (Auto)
Enable PFS
Put the pre-shared key in (of your choice)
Set lifetime to 86400 (this matches up with your Cisco config)

There is also a 'more' link by the View Log button on this screen.  Click it...

Phase 1 should be Main mode, 3DES / MD5 / Group 1024bit (this matches with 'group 2' in the PIX config) / lifetime 86400s
Phase 2 should be 3DES / MD5 / PFS - ON, Group 768 OR 1024, Key lifetime 24400.
..and select Anti-Replay and keep-alive.







0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10877618
no these are two static ips
0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10877619
no these are two static ips
0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10877648
Are there any settings which would allow a connection but prevent the ability to browse.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:smnphoenix
ID: 10878319
The above scenario is close, but the linksys is 200.200.56.0. These are the internal networks. Both Routers have external ip addresses.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10879391
In that case, you want to change this:

access-list inside_outbound_nat0_acl permit ip 200.200.200.0 255.255.255.0 vpn_in 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 200.200.200.0 255.255.255.0 vpn_in 255.255.255.0

to

access-list inside_outbound_nat0_acl permit ip 200.200.200.0 255.255.255.0 vpn_in 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 200.200.200.0 255.255.255.0 200.200.56.0 255.255.255.0
access-list 80 permit ip 200.200.200.0 255.255.255.0 200.200.56.0 255.255.255.0

and don't forget to add that preshared key.

Now, as you have static IPs at both ends, you don't need a dynamic map on the Cisco.

crypto map newyork 10 ipsec-isakmp
crypto map newyork 10 match address 80
crypto map newyork 10 set transform-set ESP-3DES-MD5
crypto map newyork 10 set peer {IP ADDRESS OF LINKSYS}
crypto map newyork interface outside

0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10879920
We still access with the VPN client as well, will this affect it?

Do I need to run these commands

           crypto map newyork 10 ipsec-isakmp
           crypto map newyork 10 match address 80
           crypto map newyork 10 set transform-set ESP-3DES-MD5
           crypto map newyork 10 set peer {IP ADDRESS OF LINKSYS}
           crypto map newyork interface outside


0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10880035
Current Config

interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname BrookwoodPix
domain-name brookwood.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.1.1.0 vpn_in
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq smtp
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq pop3
access-list outside_access_in permit tcp any host xx.xx.xx.xx eq www
access-list outside_access_in permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq ssh
access-list outside_access_in permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq telnet
access-list outside_access_in permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq telnet
access-list outside_access_in permit tcp host xx.xx.xx.xx host xx.xx.xx.xx eq ssh
access-list inside_outbound_nat0_acl permit ip 200.200.200.0 255.255.255.0 vpn_in 255.255.
255.0
access-list inside_outbound_nat0_acl permit ip 200.200.200.0 255.255.255.0 200.200.56.0 25
5.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 200.200.200.0 255.255.255.0 vpn_in 255.255.
255.0
access-list brkwd_split_tunnel permit ip any any
access-list 80 permit ip 200.200.200.0 255.255.255.0 200.200.56.0 255.255.255.0
pager lines 24
logging standby
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 200.200.200.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_in 10.1.1.1-10.1.1.254
pdm location xx.xx.xx.xx 255.255.255.224 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location vpn_in 255.255.255.0 inside
pdm location 200.200.72.0 255.255.255.0 inside
pdm location 200.200.91.0 255.255.255.0 inside
pdm location 200.200.101.0 255.255.255.0 inside
pdm location 200.200.102.0 255.255.255.0 inside
pdm location 200.200.104.0 255.255.255.0 inside
pdm location 200.200.105.0 255.255.255.0 inside
pdm location 200.200.106.0 255.255.255.0 inside
pdm location 200.200.108.0 255.255.255.0 inside
pdm location 200.200.109.0 255.255.255.0 inside
pdm location 200.200.111.0 255.255.255.0 inside
pdm location 200.200.113.0 255.255.255.0 inside
pdm location 200.200.114.0 255.255.255.0 inside
pdm location 200.200.115.0 255.255.255.0 inside
pdm location 200.200.116.0 255.255.255.0 inside
pdm location 200.200.200.124 255.255.255.255 inside
pdm location 200.200.200.130 255.255.255.255 inside
pdm location 200.200.200.204 255.255.255.255 inside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location xx.xx.xx.xx 255.255.255.224 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location xx.xx.xx.xx 255.255.255.255 outside
pdm location 200.200.56.0 255.255.255.0 inside
pdm location 200.200.56.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.xx.xx smtp 200.200.200.204 smtp netmask 255.255.255.25
5 0 0
static (inside,outside) tcp xx.xx.xx.xx pop3 200.200.200.204 pop3 netmask 255.255.255.25
5 0 0
static (inside,outside) tcp xx.xx.xx.xx www 200.200.200.204 www netmask 255.255.255.255
0 0
static (inside,outside) tcp xx.xx.xx.xx telnet 200.200.200.130 telnet netmask 255.255.25
5.255 0 0
static (inside,outside) tcp xx.xx.xx.xx ssh 200.200.200.130 ssh netmask 255.255.255.255
0 0
static (inside,outside) tcp xx.xx.xx.xx ftp 200.200.200.204 ftp netmask 255.255.255.255
0 0
access-group outside_access_in in interface outside
route inside 200.200.56.0 255.255.255.0 200.200.200.200 1
route inside 200.200.72.0 255.255.255.0 200.200.200.135 1
route inside 200.200.91.0 255.255.255.0 200.200.200.135 1
route inside 200.200.101.0 255.255.255.0 200.200.200.135 1
route inside 200.200.102.0 255.255.255.0 200.200.200.135 1
route inside 200.200.104.0 255.255.255.0 200.200.200.135 1
route inside 200.200.105.0 255.255.255.0 200.200.200.135 1
route inside 200.200.106.0 255.255.255.0 200.200.200.135 1
route inside 200.200.108.0 255.255.255.0 200.200.200.135 1
route inside 200.200.109.0 255.255.255.0 200.200.200.135 1
route inside 200.200.111.0 255.255.255.0 200.200.200.135 1
route inside 200.200.113.0 255.255.255.0 200.200.200.135 1
route inside 200.200.114.0 255.255.255.0 200.200.200.135 1
route inside 200.200.115.0 255.255.255.0 200.200.200.135 1
route inside 200.200.116.0 255.255.255.0 200.200.200.205 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xx.xx.xx.xx 255.255.255.255 outside
http xx.xx.xx.xx 255.255.255.255 outside
http 200.200.200.0 255.255.255.0 inside
http 200.200.200.124 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400
vpngroup brookwood address-pool vpn_in
vpngroup brookwood dns-server 200.200.200.204
vpngroup brookwood default-domain brookwood.local
vpngroup brookwood split-tunnel inside_outbound_nat0_acl
vpngroup brookwood idle-time 1800
vpngroup brookwood password ********
telnet 200.200.200.0 255.255.255.0 inside
telnet vpn_in 255.255.255.0 inside
telnet timeout 10
ssh 64.xx.xx.xx 255.255.255.224 outside
ssh 200.200.200.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname greatfur@bellsouth.net
vpdn group pppoe_group ppp authentication pap
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10880146
These commands will only affect traffic relating to the external address of the Linksys.  Client traffic will carry on unaffected, so they are fine to add.  I see you've added the access lists and pre-shared key already !

Linksys settings will change slightly:

On the linksys, the 'local secure group' should be 200.200.56.0 / 255.255.255.0
Remote secure group - 200.200.200.0 / 255.255.255.0
Remote security gateway - EXTERNAL ADDRESS OF PIX
Encryption - 3DES / MD5
Key management - IKE (Auto)
Enable PFS
Put the pre-shared key in (of your choice)
Set lifetime to 86400 (this matches up with your Cisco config)

There is also a 'more' link by the View Log button on this screen.  Click it...

Phase 1 should be Main mode, 3DES / MD5 / Group 1024bit (this matches with 'group 2' in the PIX config) / lifetime 86400s
Phase 2 should be 3DES / MD5 / PFS - ON, Group 768 OR 1024, Key lifetime 24400.
..and select Anti-Replay and keep-alive.
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10880171
This should get you in a state of how things roughly should be.  We may have to tweak phase 1 and 2 timeouts at either end to get it to work finally, so let me know what happens after you set everything up and initiate traffic from a machine INSIDE one network to a machine INSISDE the other.  2 way traffic is necessary to bring the link up.
The Linksys logs would be a good start, or you can enable debugs on the pix:

debug crypto ipsec
debyg crypto isakmp
term mon

then to turn this all off (as this slows it down):

no term mon
no debug all
0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10880181
new york should be changed to something else, correct
0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10880210
linksys log

2004-04-21 11:31:57
2004-04-21 11:32:02
2004-04-21 11:32:02 IKE[1] Tx >> MM_I1 : 68.xxx.xx.xxx SA
2004-04-21 11:32:02 IKE[1] Rx << MM_R1 : 68.xxx.xx.xxx SA
2004-04-21 11:32:02 IKE[1] ISAKMP SA CKI=[21e5fc0f edeb867e] CKR=[b692be5d adf6bbf8]
2004-04-21 11:32:02 IKE[1] ISAKMP SA DES / MD5 / PreShared / MODP_1024 / 86400 sec (*86400 sec)
2004-04-21 11:32:02 IKE[1] Tx >> MM_I2 : 68.xxx.xx.xxx KE, NONCE
2004-04-21 11:32:03 IKE[1] Rx << MM_R2 : 68.xxx.xx.xxx KE, NONCE, VID, VID, VID, VID
2004-04-21 11:32:03 IKE[1] Tx >> MM_I3 : 68.xxx.xx.xxx ID, HASH
2004-04-21 11:32:03 IKE[1] Rx << MM_R3 : 68.xxx.xx.xxx ID, HASH
2004-04-21 11:32:03 IKE[1] Tx >> QM_I1 : 68.xxx.xx.xxx HASH, SA, NONCE, KE, ID, ID
2004-04-21 11:32:04 IKE[1] Rx << QM_R1 : 68.xxx.xx.xxx HASH, SA, NONCE, KE, ID, ID, NOTIFY
2004-04-21 11:32:04 IKE[1] Tx >> QM_I2 :68.xxx.xx.xxxHASH
2004-04-21 11:32:04 IKE[1] ESP_SA DES / MD5 / 86400 sec (*86400 sec) / SPI=[************]
2004-04-21 11:32:04 IKE[1] Set up ESP tunnel with 68.xxx.xx.xxx Success !
2004-04-21 11:32:04
0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10881039
now it is not connecting at all, what is going on now


Building configuration...
: Saved
:
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname BrookwoodPix
domain-name brookwood.local
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 10.1.1.0 vpn_in
access-list outside_access_in permit tcp any host xx.xx.xxx.xx eq smtp
access-list outside_access_in permit tcp any host xx.xx.xxx.xx eq pop3
access-list outside_access_in permit tcp any host xx.xx.xxx.xx eq www
access-list outside_access_in permit tcp host xx.xx.xxx.xx host xx.xx.xxx.xx eq ssh
access-list outside_access_in permit tcp host xx.xx.xxx.xx host xx.xx.xxx.xx eq telnet
access-list outside_access_in permit tcp host xx.xx.xxx.xx1 host xx.xx.xxx.xx eq telnet
access-list outside_access_in permit tcp host xx.xx.xxx.xx1 host xx.xx.xxx.xx eq ssh
access-list inside_outbound_nat0_acl permit ip 200.200.200.0 255.255.255.0 vpn_in 255.255.255.0
access-list outside_cryptomap_dyn_20 permit ip 200.200.200.0 255.255.255.0 vpn_in 255.255.255.0
access-list brkwd_split_tunnel permit ip any any
pager lines 24
logging standby
mtu outside 1500
mtu inside 1500
ip address outside pppoe setroute
ip address inside 200.200.200.200 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpn_in 10.1.1.1-10.1.1.254
pdm location xx.xx.xxx.xx 255.255.255.224 outside
pdm location xx.xx.xxx.xx 255.255.255.255 outside
pdm location xx.xx.xxx.xx 255.255.255.255 outside
pdm location xx.xx.xxx.xx 255.255.255.255 outside
pdm location xx.xx.xxx.xx 255.255.255.255 outside
pdm location xx.xx.xxx.xx 255.255.255.255 outside
pdm location vpn_in 255.255.255.0 inside
pdm location 200.200.72.0 255.255.255.0 inside
pdm location 200.200.91.0 255.255.255.0 inside
pdm location 200.200.101.0 255.255.255.0 inside
pdm location 200.200.102.0 255.255.255.0 inside
pdm location 200.200.104.0 255.255.255.0 inside
pdm location 200.200.105.0 255.255.255.0 inside
pdm location 200.200.106.0 255.255.255.0 inside
pdm location 200.200.108.0 255.255.255.0 inside
pdm location 200.200.109.0 255.255.255.0 inside
pdm location 200.200.111.0 255.255.255.0 inside
pdm location 200.200.113.0 255.255.255.0 inside
pdm location 200.200.114.0 255.255.255.0 inside
pdm location 200.200.115.0 255.255.255.0 inside
pdm location 200.200.116.0 255.255.255.0 inside
pdm location 200.200.200.124 255.255.255.255 inside
pdm location 200.200.200.130 255.255.255.255 inside
pdm location 200.200.200.204 255.255.255.255 inside
pdm location xx.xx.xxx.xx 255.255.255.255 outside
pdm location xx.xx.xxx.xx 1 255.255.255.255 outside
pdm location xx.xx.xxx.xx 255.255.255.224 outside
pdm location xx.xx.xxx.xx 255.255.255.255 outside
pdm location xx.xx.xxx.xx 255.255.255.255 outside
pdm location 200.200.56.0 255.255.255.0 inside
pdm location 200.200.56.0 255.255.255.0 outside
pdm location vpn_in 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xx.xx.xxx.xx smtp 200.200.200.204 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xxx.xx pop3 200.200.200.204 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xxx.xx www 200.200.200.204 www netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xxx.xx telnet 200.200.200.130 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xxx.xx ssh 200.200.200.130 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp xx.xx.xxx.xx ftp 200.200.200.204 ftp netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route inside 200.200.56.0 255.255.255.0 200.200.200.200 1
route inside 200.200.72.0 255.255.255.0 200.200.200.135 1
route inside 200.200.91.0 255.255.255.0 200.200.200.135 1
route inside 200.200.101.0 255.255.255.0 200.200.200.135 1
route inside 200.200.102.0 255.255.255.0 200.200.200.135 1
route inside 200.200.104.0 255.255.255.0 200.200.200.135 1
route inside 200.200.105.0 255.255.255.0 200.200.200.135 1
route inside 200.200.106.0 255.255.255.0 200.200.200.135 1
route inside 200.200.108.0 255.255.255.0 200.200.200.135 1
route inside 200.200.109.0 255.255.255.0 200.200.200.135 1
route inside 200.200.111.0 255.255.255.0 200.200.200.135 1
route inside 200.200.113.0 255.255.255.0 200.200.200.135 1
route inside 200.200.114.0 255.255.255.0 200.200.200.135 1
route inside 200.200.115.0 255.255.255.0 200.200.200.135 1
route inside 200.200.116.0 255.255.255.0 200.200.200.205 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http xx.xx.xxx.xx 255.255.255.255 outside
http xx.xx.xxx.xx 255.255.255.255 outside
http 200.200.200.0 255.255.255.0 inside
http 200.200.200.124 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map outside_dyn_map_1 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map HVTHrift 10 ipsec-isakmp
crypto map HVThrift 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map HVThrift interface outside
crypto map newyork 10 ipsec-isakmp
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash md5
isakmp policy 60 group 2
isakmp policy 60 lifetime 86400
vpngroup brookwood address-pool vpn_in
vpngroup brookwood dns-server 200.200.200.204
vpngroup brookwood default-domain brookwood.local
vpngroup brookwood split-tunnel inside_outbound_nat0_acl
vpngroup brookwood idle-time 1800
vpngroup brookwood password ********
telnet 200.200.200.0 255.255.255.0 inside
telnet vpn_in 255.255.255.0 inside
telnet timeout 10
ssh 64.79.229.32 255.255.255.224 outside
ssh 200.200.200.0 255.255.255.0 inside
ssh timeout 60
management-access inside
console timeout 0
: end
[OK]

0
 
LVL 1

Author Comment

by:smnphoenix
ID: 10882670
a multiplication of all the help arrived at the answer. The big answer was the the first and then the setup of the exemption rules.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10883281
Good stuff...
To make it as secure as possible, I would recommend either 3DES-SHA or AES-128-SHA throughout, with a 14400 second phase 1 and phase 2 timeout as your cipher suite.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now