Solved

creating a tunnel between a linksys vpn router and a pix 515e firewall

Posted on 2004-10-27
1,873 Views
Last Modified: 2013-11-16
I have been looking for answers regarding any success stories on how to connect a linksys befsx41 and a pix firewall for ipsec tunneling, I would appreaciate any guidence you can provide.
0
Question by:BlessingWhite
    13 Comments
     
    LVL 8

    Expert Comment

    by:amirinamdar
    Maybe this will help: www.htthost.com
    0
     
    LVL 79

    Accepted Solution

    by:
    On your Linksys, VPN setup page:

    (*)enable     ()disable

    Tunnel name [TOPIX    ]

    Local network:  Subnet    192.168.1.0   <== change as appropriate
                            Mask      255.255.255.0
    Remote Secure Group: Subnet 192.168.133.0  <== Lan side of PIX
                                      Mask    255.255.255.0
    Remote secure gateway: IP address    12.34.56.7  <== Ouside IP of PIX
    Encryption:      (*)DES    () 3DES   ()Disable
    Authen:           (*)MD5   () SHAn   ()Disable
    Key Management [Auto(IKE) ]
                         []  PFS   <== leave un-checked
                         Pre-shared key [ GoodPa$$worD ]
                         Lifetime           [3600                 ] Sec.

    Click [ Connect ]
    -----------------------------------------------------------------------------------------
    On the PIX side:
    {example based on remote LAN = 192.168.1.0 / 24
                                  Local LAN   = 192.168.133.0 /24  }

    access-list NO_NAT permit ip 192.168.133.0 255.255.0.0 192.168.1.0 255.255.255.0
    access-list outside_cryptomap_40 permit ip  192.168.133.0 255.255.0.0 192.168.1.0 255.255.255.0
    nat (inside) 0 access-list NO_NAT

    sysopt connection permit-ipsec

    crypto ipsec transform-set LAB esp-des esp-md5-hmac   <== DES + MD5 matches choices on the Linksys side
    crypto map CRYMAP 40 ipsec-isakmp
    crypto map CRYMAP 40 match address outside_cryptomap_40
    crypto map CRYMAP 40 set peer 56.78.9.12 <=== WAN IP of Linksys
    crypto map CRYMAP 40 set transform-set LAB
    crypto map CRYMAP interface outside

    isakmp enable outside
    isakmp key GoodPa$$worD address 56.78.9.12 netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption des  <== match on the Linksys side
    isakmp policy 1 hash md5   <== match "Authentication" on the Linksys side
    isakmp policy 1 group 2  <== you may have to experiment with either Group 1 or 2, start with group 2
    isakmp policy 1 lifetime 3600



    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Hello? Any response?

    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Are you still working on this? Do you need more information?
    0
     

    Author Comment

    by:BlessingWhite
    I will try it tonight 11/3/2004 thanks.

    0
     

    Author Comment

    by:BlessingWhite
    OK, after several months of trying and tweking, I finally got he connection part, however I'm not able to see either side of the tunnel. Do I need to add special routing statements in my home lan to be able to see the corporate net?
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    If the Linksys is your default gateway for your home LAN, then no routing necessary.
    Same on the corp side. If the PIX is the default gatewy for the corp net, no route statements needed.
    If they are not your defualts, then yes, any intermediary router will need a route statement to the remote subnet.
    Can you not even ping hosts on either side of the tunnel?
    0
     

    Author Comment

    by:BlessingWhite
    no, I not able to ping, I do see the tunnels connected and the linksys saying it's connected.

    Home lan 192.168.1.0 255.555.555.0 <--->pix 67.x.x.x <----> corporate lan 10.23.129.0 255.255.255.0

    Do I need to recreate my access-list or add a new one
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    Does the PIX have configurations similar to these:
      access-list NO_NAT permit ip 10.23.129.0 255.255.0.0 192.168.1.0 255.255.255.0
      access-list outside_cryptomap_40 permit ip  10.23.129.0 255.255.0.0 192.168.1.0 255.255.255.0

    0
     

    Author Comment

    by:BlessingWhite
    no, I though I have added the access list, you have 10.23.129.0 with mask 255.255.0.0 should it be 0/16 or 0/24 , I'll try this tonight. Thank you
    0
     
    LVL 79

    Expert Comment

    by:lrmoore
    It should be /24 255.255.255.0
    sorry about that..
    0
     

    Author Comment

    by:BlessingWhite
    Thanks Irmoore, I got it working, now I'm going to try connecting a ip phone and see if the tftp server reaches the phone.
    0
     

    Author Comment

    by:BlessingWhite
    Well No Luck with the IP phone, I need to get the dhcp and tftp to work. Thanks for all your help.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    933 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now