Learn how to a build a cloud-first strategyRegister Now


Site-to-site VPN tunnel between Pix 506E and Linksys RV042

Posted on 2006-04-24
Medium Priority
Last Modified: 2013-11-16
I have created an ipsec tunnel between my pix 506e and a linksys rv042.  The tunnel establishes just fine, but no traffic will flow over it.  This is my first time doing this, and I would like to know if I have configured something incorrectly on my pix.  Here is the config:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name brni.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list from_outside permit icmp host any echo-reply
access-list from_outside permit icmp host any echo-reply
access-list from_outside permit icmp host any echo-reply
access-list from_outside permit icmp any host echo-reply
access-list from_outside permit icmp any host echo
access-list from_outside permit tcp any host eq domain
access-list from_outside permit udp any host eq domain
access-list chicago_vpn permit ip
access-list no_nat_chicago_vpn permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_chicago_vpn
nat (inside) 1 0 0
access-group from_outside in interface outside
route outside 1
route inside 1
route inside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chicago_set esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address chicago_vpn
crypto map newmap 10 set pfs group2
crypto map newmap 10 set peer
crypto map newmap 10 set transform-set chicago_set
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address netmask no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 10000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:BRNIIT
  • 2
  • 2
LVL 79

Expert Comment

ID: 16529921
>route inside 1
>access-list chicago_vpn permit ip
>access-list no_nat_chicago_vpn permit ip

So you only want the subnet to go across the VPN tunnel to the Linksys?
Does the router that is know to route traffic destined for over to the PIX?
What is result of "show cry is sa"
If you see nothing, look at result of "show access-list" if you get zero hitcounts on your chicago vpn access-lists, then you have a routing issue.
If you see QM_IDLE you should be golden
If you see MM_NO_STATE you may have a policy mismatch. Make sure PFS is not enabled on the Linksys.
If you see MM_KEYEXCHANGE try the command again in a few seconds.

Any particular reason you are using DES and Group 1 vs 3DES and group 2 ?

Author Comment

ID: 16530167
The subnet is good enough for now, just to make sure it's working.  The router has the pix as its default gateway.  Is that good enough for it to properly route the traffic destined for back to the pix, or do I need to explicitly specify a route?

When I do a sh cry is sa I get QM_IDLE, and the hitcounts are going up for the chicago access-lists.

I was just using DES and Group 1 as opposed to 3DES and Group 2 for performance - is there a big difference?  Do you think that would be preventing the traffic for any reason?

Thanks for your help.
LVL 79

Accepted Solution

lrmoore earned 1000 total points
ID: 16530312
Hmmmm....looks like everything "should" be working.
Default pointing to PIX should be all you need.
Do you get "connected" indicator on the Linksys side?
Is the Linksys LAN IP the default gateway for everything on that end?
Look at "show cry ip sa" and look for encrypt/decrypt counters and error counters.
increasing counters on encrypt/decrypt means traffic is indeed flowing between the two networks.

There should not be a performance hit with either DES or 3DES. If you have the 3des license you might want to consider using it later, but just get them working now..

DOH! I missed this little tidbit earlier:
>route inside 1
Since the remote side falls within this mask, you've got a routing loop pointing back to the other router.
 no route inside 1
 route inside


Author Comment

ID: 16530736
I'm embarassed that I missed that.  Many thanks to the great lrmoore.  It's working fine now.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month21 days, 7 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question