Site-to-site VPN tunnel between Pix 506E and Linksys RV042

I have created an ipsec tunnel between my pix 506e and a linksys rv042.  The tunnel establishes just fine, but no traffic will flow over it.  This is my first time doing this, and I would like to know if I have configured something incorrectly on my pix.  Here is the config:

PIX Version 6.3(4)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewall
domain-name brni.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list from_outside permit icmp host 216.12.2.210 any echo-reply
access-list from_outside permit icmp host 216.12.8.1 any echo-reply
access-list from_outside permit icmp host 216.12.8.2 any echo-reply
access-list from_outside permit icmp any host 216.12.8.2 echo-reply
access-list from_outside permit icmp any host 216.12.8.2 echo
access-list from_outside permit tcp any host 216.12.8.1 eq domain
access-list from_outside permit udp any host 216.12.8.1 eq domain
access-list chicago_vpn permit ip 10.1.0.0 255.255.0.0 10.226.219.0 255.255.255.0
access-list no_nat_chicago_vpn permit ip 10.1.0.0 255.255.0.0 10.226.219.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 216.12.8.2 255.255.255.240
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no_nat_chicago_vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group from_outside in interface outside
route outside 0.0.0.0 0.0.0.0 216.12.8.6 1
route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
route inside 192.168.1.0 255.255.255.0 192.168.0.2 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
http 10.1.8.201 255.255.255.255 inside
http 10.1.1.199 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set chicago_set esp-des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address chicago_vpn
crypto map newmap 10 set pfs group2
crypto map newmap 10 set peer 100.100.100.100
crypto map newmap 10 set transform-set chicago_set
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address 100.100.100.100 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 10000
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:84b12bf257ed6163454ad89a5a065502
: end
BRNIITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
>route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
>access-list chicago_vpn permit ip 10.1.0.0 255.255.0.0 10.226.219.0 255.255.255.0
>access-list no_nat_chicago_vpn permit ip 10.1.0.0 255.255.0.0 10.226.219.0 255.255.255.0

So you only want the 10.1.0.0 subnet to go across the VPN tunnel to the Linksys?
Does the router that is 192.168.0.2 know to route traffic destined for 10.226.219.0/24 over to the PIX?
What is result of "show cry is sa"
If you see nothing, look at result of "show access-list" if you get zero hitcounts on your chicago vpn access-lists, then you have a routing issue.
If you see QM_IDLE you should be golden
If you see MM_NO_STATE you may have a policy mismatch. Make sure PFS is not enabled on the Linksys.
If you see MM_KEYEXCHANGE try the command again in a few seconds.

Any particular reason you are using DES and Group 1 vs 3DES and group 2 ?
BRNIITAuthor Commented:
lrmoore-
The 10.1.0.0 subnet is good enough for now, just to make sure it's working.  The router 192.168.0.2 has the pix as its default gateway.  Is that good enough for it to properly route the traffic destined for 10.226.219.0 back to the pix, or do I need to explicitly specify a route?

When I do a sh cry is sa I get QM_IDLE, and the hitcounts are going up for the chicago access-lists.

I was just using DES and Group 1 as opposed to 3DES and Group 2 for performance - is there a big difference?  Do you think that would be preventing the traffic for any reason?

Thanks for your help.
lrmooreCommented:
Hmmmm....looks like everything "should" be working.
Default pointing to PIX should be all you need.
Do you get "connected" indicator on the Linksys side?
Is the Linksys LAN IP the default gateway for everything on that end?
Look at "show cry ip sa" and look for encrypt/decrypt counters and error counters.
increasing counters on encrypt/decrypt means traffic is indeed flowing between the two networks.

There should not be a performance hit with either DES or 3DES. If you have the 3des license you might want to consider using it later, but just get them working now..

DOH! I missed this little tidbit earlier:
>route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
Since the remote side 10.226.219.0 falls within this mask, you've got a routing loop pointing back to the other router.
Try:
 no route inside 10.0.0.0 255.0.0.0 192.168.0.2 1
 route inside 10.1.0.0 255.255.0.0 192.168.0.2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BRNIITAuthor Commented:
I'm embarassed that I missed that.  Many thanks to the great lrmoore.  It's working fine now.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.