• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1948
  • Last Modified:

creating a tunnel between a linksys vpn router and a pix 515e firewall

I have been looking for answers regarding any success stories on how to connect a linksys befsx41 and a pix firewall for ipsec tunneling, I would appreaciate any guidence you can provide.
0
BlessingWhite
Asked:
BlessingWhite
  • 6
  • 6
1 Solution
 
amirinamdarCommented:
Maybe this will help: www.htthost.com
0
 
lrmooreCommented:
On your Linksys, VPN setup page:

(*)enable     ()disable

Tunnel name [TOPIX    ]

Local network:  Subnet    192.168.1.0   <== change as appropriate
                        Mask      255.255.255.0
Remote Secure Group: Subnet 192.168.133.0  <== Lan side of PIX
                                  Mask    255.255.255.0
Remote secure gateway: IP address    12.34.56.7  <== Ouside IP of PIX
Encryption:      (*)DES    () 3DES   ()Disable
Authen:           (*)MD5   () SHAn   ()Disable
Key Management [Auto(IKE) ]
                     []  PFS   <== leave un-checked
                     Pre-shared key [ GoodPa$$worD ]
                     Lifetime           [3600                 ] Sec.

Click [ Connect ]
-----------------------------------------------------------------------------------------
On the PIX side:
{example based on remote LAN = 192.168.1.0 / 24
                              Local LAN   = 192.168.133.0 /24  }

access-list NO_NAT permit ip 192.168.133.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_40 permit ip  192.168.133.0 255.255.0.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list NO_NAT

sysopt connection permit-ipsec

crypto ipsec transform-set LAB esp-des esp-md5-hmac   <== DES + MD5 matches choices on the Linksys side
crypto map CRYMAP 40 ipsec-isakmp
crypto map CRYMAP 40 match address outside_cryptomap_40
crypto map CRYMAP 40 set peer 56.78.9.12 <=== WAN IP of Linksys
crypto map CRYMAP 40 set transform-set LAB
crypto map CRYMAP interface outside

isakmp enable outside
isakmp key GoodPa$$worD address 56.78.9.12 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des  <== match on the Linksys side
isakmp policy 1 hash md5   <== match "Authentication" on the Linksys side
isakmp policy 1 group 2  <== you may have to experiment with either Group 1 or 2, start with group 2
isakmp policy 1 lifetime 3600



0
 
lrmooreCommented:
Hello? Any response?

0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

 
lrmooreCommented:
Are you still working on this? Do you need more information?
0
 
BlessingWhiteAuthor Commented:
I will try it tonight 11/3/2004 thanks.

0
 
BlessingWhiteAuthor Commented:
OK, after several months of trying and tweking, I finally got he connection part, however I'm not able to see either side of the tunnel. Do I need to add special routing statements in my home lan to be able to see the corporate net?
0
 
lrmooreCommented:
If the Linksys is your default gateway for your home LAN, then no routing necessary.
Same on the corp side. If the PIX is the default gatewy for the corp net, no route statements needed.
If they are not your defualts, then yes, any intermediary router will need a route statement to the remote subnet.
Can you not even ping hosts on either side of the tunnel?
0
 
BlessingWhiteAuthor Commented:
no, I not able to ping, I do see the tunnels connected and the linksys saying it's connected.

Home lan 192.168.1.0 255.555.555.0 <--->pix 67.x.x.x <----> corporate lan 10.23.129.0 255.255.255.0

Do I need to recreate my access-list or add a new one
0
 
lrmooreCommented:
Does the PIX have configurations similar to these:
  access-list NO_NAT permit ip 10.23.129.0 255.255.0.0 192.168.1.0 255.255.255.0
  access-list outside_cryptomap_40 permit ip  10.23.129.0 255.255.0.0 192.168.1.0 255.255.255.0

0
 
BlessingWhiteAuthor Commented:
no, I though I have added the access list, you have 10.23.129.0 with mask 255.255.0.0 should it be 0/16 or 0/24 , I'll try this tonight. Thank you
0
 
lrmooreCommented:
It should be /24 255.255.255.0
sorry about that..
0
 
BlessingWhiteAuthor Commented:
Thanks Irmoore, I got it working, now I'm going to try connecting a ip phone and see if the tftp server reaches the phone.
0
 
BlessingWhiteAuthor Commented:
Well No Luck with the IP phone, I need to get the dhcp and tftp to work. Thanks for all your help.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now