creating a tunnel between a linksys vpn router and a pix 515e firewall

I have been looking for answers regarding any success stories on how to connect a linksys befsx41 and a pix firewall for ipsec tunneling, I would appreaciate any guidence you can provide.
BlessingWhiteAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

amirinamdarCommented:
Maybe this will help: www.htthost.com
0
lrmooreCommented:
On your Linksys, VPN setup page:

(*)enable     ()disable

Tunnel name [TOPIX    ]

Local network:  Subnet    192.168.1.0   <== change as appropriate
                        Mask      255.255.255.0
Remote Secure Group: Subnet 192.168.133.0  <== Lan side of PIX
                                  Mask    255.255.255.0
Remote secure gateway: IP address    12.34.56.7  <== Ouside IP of PIX
Encryption:      (*)DES    () 3DES   ()Disable
Authen:           (*)MD5   () SHAn   ()Disable
Key Management [Auto(IKE) ]
                     []  PFS   <== leave un-checked
                     Pre-shared key [ GoodPa$$worD ]
                     Lifetime           [3600                 ] Sec.

Click [ Connect ]
-----------------------------------------------------------------------------------------
On the PIX side:
{example based on remote LAN = 192.168.1.0 / 24
                              Local LAN   = 192.168.133.0 /24  }

access-list NO_NAT permit ip 192.168.133.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_40 permit ip  192.168.133.0 255.255.0.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NO_NAT

sysopt connection permit-ipsec

crypto ipsec transform-set LAB esp-des esp-md5-hmac   <== DES + MD5 matches choices on the Linksys side
crypto map CRYMAP 40 ipsec-isakmp
crypto map CRYMAP 40 match address outside_cryptomap_40
crypto map CRYMAP 40 set peer 56.78.9.12 <=== WAN IP of Linksys
crypto map CRYMAP 40 set transform-set LAB
crypto map CRYMAP interface outside

isakmp enable outside
isakmp key GoodPa$$worD address 56.78.9.12 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des  <== match on the Linksys side
isakmp policy 1 hash md5   <== match "Authentication" on the Linksys side
isakmp policy 1 group 2  <== you may have to experiment with either Group 1 or 2, start with group 2
isakmp policy 1 lifetime 3600



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Hello? Any response?

0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

lrmooreCommented:
Are you still working on this? Do you need more information?
0
BlessingWhiteAuthor Commented:
I will try it tonight 11/3/2004 thanks.

0
BlessingWhiteAuthor Commented:
OK, after several months of trying and tweking, I finally got he connection part, however I'm not able to see either side of the tunnel. Do I need to add special routing statements in my home lan to be able to see the corporate net?
0
lrmooreCommented:
If the Linksys is your default gateway for your home LAN, then no routing necessary.
Same on the corp side. If the PIX is the default gatewy for the corp net, no route statements needed.
If they are not your defualts, then yes, any intermediary router will need a route statement to the remote subnet.
Can you not even ping hosts on either side of the tunnel?
0
BlessingWhiteAuthor Commented:
no, I not able to ping, I do see the tunnels connected and the linksys saying it's connected.

Home lan 192.168.1.0 255.555.555.0 <--->pix 67.x.x.x <----> corporate lan 10.23.129.0 255.255.255.0

Do I need to recreate my access-list or add a new one
0
lrmooreCommented:
Does the PIX have configurations similar to these:
  access-list NO_NAT permit ip 10.23.129.0 255.255.0.0 192.168.1.0 255.255.255.0
  access-list outside_cryptomap_40 permit ip  10.23.129.0 255.255.0.0 192.168.1.0 255.255.255.0

0
BlessingWhiteAuthor Commented:
no, I though I have added the access list, you have 10.23.129.0 with mask 255.255.0.0 should it be 0/16 or 0/24 , I'll try this tonight. Thank you
0
lrmooreCommented:
It should be /24 255.255.255.0
sorry about that..
0
BlessingWhiteAuthor Commented:
Thanks Irmoore, I got it working, now I'm going to try connecting a ip phone and see if the tftp server reaches the phone.
0
BlessingWhiteAuthor Commented:
Well No Luck with the IP phone, I need to get the dhcp and tftp to work. Thanks for all your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.