Site-to-site VPN tunnel between Pix 506E and Linksys RV042

Posted on 2006-04-24
Last Modified: 2013-11-16
I have created an ipsec tunnel between my pix 506e and a linksys rv042.  The tunnel establishes just fine, but no traffic will flow over it.  This is my first time doing this, and I would like to know if I have configured something incorrectly on my pix.  Here is the config:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list from_outside permit icmp host any echo-reply
access-list from_outside permit icmp host any echo-reply
access-list from_outside permit icmp host any echo-reply
access-list from_outside permit icmp any host echo-reply
access-list from_outside permit icmp any host echo
access-list from_outside permit tcp any host eq domain
access-list from_outside permit udp any host eq domain
access-list chicago_vpn permit ip
access-list no_nat_chicago_vpn permit ip
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_chicago_vpn
nat (inside) 1 0 0
access-group from_outside in interface outside
route outside 1
route inside 1
route inside 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http inside
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chicago_set esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address chicago_vpn
crypto map newmap 10 set pfs group2
crypto map newmap 10 set peer
crypto map newmap 10 set transform-set chicago_set
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address netmask no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 10000
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end
Question by:BRNIIT
    LVL 79

    Expert Comment

    >route inside 1
    >access-list chicago_vpn permit ip
    >access-list no_nat_chicago_vpn permit ip

    So you only want the subnet to go across the VPN tunnel to the Linksys?
    Does the router that is know to route traffic destined for over to the PIX?
    What is result of "show cry is sa"
    If you see nothing, look at result of "show access-list" if you get zero hitcounts on your chicago vpn access-lists, then you have a routing issue.
    If you see QM_IDLE you should be golden
    If you see MM_NO_STATE you may have a policy mismatch. Make sure PFS is not enabled on the Linksys.
    If you see MM_KEYEXCHANGE try the command again in a few seconds.

    Any particular reason you are using DES and Group 1 vs 3DES and group 2 ?

    Author Comment

    The subnet is good enough for now, just to make sure it's working.  The router has the pix as its default gateway.  Is that good enough for it to properly route the traffic destined for back to the pix, or do I need to explicitly specify a route?

    When I do a sh cry is sa I get QM_IDLE, and the hitcounts are going up for the chicago access-lists.

    I was just using DES and Group 1 as opposed to 3DES and Group 2 for performance - is there a big difference?  Do you think that would be preventing the traffic for any reason?

    Thanks for your help.
    LVL 79

    Accepted Solution

    Hmmmm....looks like everything "should" be working.
    Default pointing to PIX should be all you need.
    Do you get "connected" indicator on the Linksys side?
    Is the Linksys LAN IP the default gateway for everything on that end?
    Look at "show cry ip sa" and look for encrypt/decrypt counters and error counters.
    increasing counters on encrypt/decrypt means traffic is indeed flowing between the two networks.

    There should not be a performance hit with either DES or 3DES. If you have the 3des license you might want to consider using it later, but just get them working now..

    DOH! I missed this little tidbit earlier:
    >route inside 1
    Since the remote side falls within this mask, you've got a routing loop pointing back to the other router.
     no route inside 1
     route inside


    Author Comment

    I'm embarassed that I missed that.  Many thanks to the great lrmoore.  It's working fine now.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now