We help IT Professionals succeed at work.

Urgent- Pix506e to Watchguard Firebox site-to-site VPN tunnel

jplagens asked
Last Modified: 2013-11-16
If anyone can help with this VPN tunnel I would be very appreciative.  I have been staring at it for hours and nothing will work for me.  I am trying to accomplish two things.  Create a site-to-site VPN between a Pix 506e and a watchguard firebox, and setup a Cisco VPN client to connect to the Pix506e.

With the site-to-site VPN sometimes I get MM_KEY_EXCH and sometimes I get QM_IDLE.  I have verified that the IP addresses and pre-shared keys are the same with the MM_KEY_EXCH error.  When I get QM_IDLE (which means it's up) I can't ping anything behind the watchguard.  

With the VPN client, it will connect but I can't ping or browse anything.  Basically I need to access the server at via the VPN and VPN client.  The public IP addresses that are in use for the server at are from a second non-contiguous block of IPs.  The outside interface on the Pix is on the other block of Public IPs.

Watchguard settings:

Watchguard LAN: /24

VPN settings:

Phase 1 settings:

Mode: Main mode
Local ID: 72.x.x.6
Remote ID: (which is the outside IP of the Pix in the first block of public IPs)
Authentication Algorithm: MD5-HMAC
Encryption Algorithm: DES-CBC
Negotiation expires in 0 kilobytes
Negotiation expires in 24 hours
Diffie-Helman Group 1
"check" on Send IKE Keep Alive Messages

Phase 2 settings:

Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: 3DES-CBC
"not checked" Enable Perfect Forward Secrecy

Local Network:
Remote Network:

Current Pix 506e config:

PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ---- encrypted
passwd ----- encrypted
hostname pix506
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit icmp any any echo
access-list acl_out permit icmp any any echo-reply
access-list acl_out permit tcp any host eq www
access-list acl_out permit tcp any host eq https
access-list acl_out permit tcp any host eq 6060
access-list acl_out permit tcp any host eq 3389
access-list acl_out permit tcp any host eq 32004
access-list acl_out permit tcp any host eq www
access-list acl_out permit tcp any host eq 3389
access-list acl_out permit tcp any host eq smtp
access-list acl_out permit tcp any host eq pop3
access-list nonat permit ip
access-list 101 permit ip
access-list 101 permit ip host 72.x.x.6
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside
ip address inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0 0
static (inside,outside) tcp www www netmask 0 0
static (inside,outside) tcp https https netmask 0 0
static (inside,outside) tcp 6060 6060 netmask 0 0
static (inside,outside) tcp 3389 3389 netmask 0 0
static (inside,outside) tcp 32004 32004 netmask 0 0
static (inside,outside) tcp www www netmask 0 0
static (inside,outside) tcp 3389 3389 netmask 0 0
static (inside,outside) tcp smtp smtp netmask 0 0
static (inside,outside) tcp pop3 pop3 netmask 0 0
access-group acl_out in interface outside
route outside 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto ipsec transform-set pixtowatchguard esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set vpnclient
crypto map vpnmap 1 ipsec-isakmp
crypto map vpnmap 1 match address 101
crypto map vpnmap 1 set peer 72.x.x.6
crypto map vpnmap 1 set transform-set pixtowatchguard
crypto map vpnmap 30 ipsec-isakmp dynamic dynmap
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ***** address 72.x.x.6 netmask
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash sha
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup VPN address-pool vpnpool
vpngroup VPN dns-server
vpngroup VPN wins-server
vpngroup VPN split-tunnel nonat
vpngroup VPN idle-time 86400
vpngroup VPN password -----
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
: end

Cisco 1841 config file:

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 1841Router
enable password 7 -------
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
no ip domain lookup
no ftp-server write-enable
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address
interface FastEthernet0/0.2
 encapsulation dot1Q 2
 ip address
 ip access-group VLAN2-IN in
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
ip classless
ip route
ip http server
ip access-list extended VLAN2-IN
 permit ip host host
 deny   ip
 permit ip any
line con 0
 password 7 -----------------
 logging synchronous
line aux 0
line vty 0 4
 password 7 ----------------
 logging synchronous
Watch Question

Top Expert 2006
This one is on us!
(Get your first solution completely free - no credit card required)


With your suggestions we are making some progress!  The site-to-site appears to be up and holding.  I can ping the remote gateway now at  

I changed the Phase 2 settings on the Watchguard to reflect the Pix and that helped.  Then on the Pix I used the debug crypto isakmp command.  I used the output and searched the Cisco site for help.  I was trying so many different things, I actually don't know what I did that made it finally connect.  I do know that one of the errors dealt with the Pix trying to send the key using the FQDN.  I issued the command isakmp identity address and that's when it seemed to connect.

I can ping the remote gateway at  It will be Monday before I can get into their office to try to access the server at from their LAN.  Do you think I will have to add something to the Pix or the routers acl to allow their LAN at access to the server?  Or does it look like I'll be able to ping from their LAN?

Maybe add route inside on the Pix?

I put the vpnpool the same as the subnet on the router hoping that would allow the VPN client to work since they were on the same subnet of  I completely removed the ACL on Fa0/0.2 to see if that was the problem.  I also added isakmp nat-traversal to the Pix to see if that would get it.  So far nothing has worked.

Top Expert 2006

You shouldnt have to add anything more to the PIX as long as your default route is out through the PIX.

isakmp identity hostname would be the command that sends the hostname of the pix instead of the ip.

isakmp identity address sends the ip of the pix.

Les MooreSystems Architect
Top Expert 2008

I think you need to add this:
 >isakmp identity address

I suggest you also set both the authentication and encryption to be the same:

Authentication Algorithm: MD5-HMAC  <== make this SHA
Encryption Algorithm: DES-CBC           <== make this 3DES
  Phase 2 settings:
Authentication Algorithm: SHA1-HMAC
Encryption Algorithm: 3DES-CBC

Then you would have to change the pix to match:
 crypto ipsec transform-set pixtowatchguard esp-3des esp-sha-hmac
Then re-apply the crypto map to the interface after any changes.


Sorry for the delay...

I tested the site-to-site VPN and it is working.  I actually ended up changing the Watchguard settings to match as suggested then verified that those settings were exactly the same in the pix.  

The issue now is that I cannot get the VPN client to work.  It will connect with no problem.  Once it connects I can't ping or access anything across the VPN.  I have tried completely removing the ACL on the router but didn't solve it.  Do you see anything that would maybe be stopping the vpn client from working?

thank you.
Les MooreSystems Architect
Top Expert 2008

Add this line to the PIX:
  isakmp nat-traversal 20

Top Expert 2006

Since you swapped the Ipsec pool ensure that the route to reach the VPN client pool travels back via the PIX

Ie point any routes on the LAN to the PIX



I added the isakmp nat-traversal 20 command.  Then I took out the current vpn pool.  I created a new pool using a subnet, added that to the nonat ACL, and checked my routes.

I am able to connect and access the server now.

I really appreciate all of the help in getting this figured out.  Thank you!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.