• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 454
  • Last Modified:

Adding a 5th Site to Site VPN Netopia to PIX

I need some assistance in adding another site to site VPN (4 already exist) using a Netopia 910 to a PIX 506e?  I fumbled thru some preliminaries, but the PIX complains (using the GUI) when trying to finalize things.

"ERR - crypto map -dyn-map20 set peer nnn.nnn.nnn.nnn
WARNING: this crypto map is incomplete - to remedy the situation add a peer and a valid access-list to this crypto map."

This seems to be a known issue, but, being unfamiliar with the Cisco CLI, I am hesitant to make any changes, especially since there are these dire warnings, in most things I have found, about how *all* traffic will cease, blah, blah.

joe a.
0
joea99
Asked:
joea99
  • 5
  • 3
  • 2
1 Solution
 
Rick HobbsRETIREDCommented:
Make sure you are running the most current firmware for the Netopia and refer to:
http://www.netopia.com/support/hardware/appnotes/0000000-00-01.pdf


Good luck
Rick
0
 
avalenzuelaCommented:
are you using fixed or public Ip's?
0
 
joea99Author Commented:
Each site has a public IP.  Each site has a distinct private class C subnet (192.168.n.x) (n=number unique to each location)

I will check the f/w and that link.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
joea99Author Commented:
BTW, the problem is (appears) to be at the Cisco end.
0
 
avalenzuelaCommented:
Sorry, my last question was not formulated ok.
Are you using fixed or dynamic IPs ?  on what ends ?
What Equipment is intiating the conection ? The Cisco or the Netopia

This error appear when the Cisco is intiating the conection and is missing the remote Ip address and the ip ranges that shuold go trough the VPN

This is what I use to start a vpn from a cisco pix...
crypto map newmap <cryptomapID> ipsec-isakmp
crypto map newmap <cryptomapID> match address <Address list of IPs on remote end>
crypto map newmap <cryptomapID> set peer <Remote IP>
crypto map newmap <cryptomapID> set transform-set myset

seems like you are missing line 2,3

If Pix is receiving the conecttion, config is a little different..
0
 
joea99Author Commented:
Each side has a "public" static IP.  Each side also has, locally, private IP's for the local network(s), that are NAT'd.

I am afraid I don't know what you mean by who initiates the connection.  
0
 
Rick HobbsRETIREDCommented:
A VPN isn't just "there".  The actual VPN must be initiated by a client.  Either the Netopia contacts the 7206 or the 7206 contacts the Netopia.  In many cases, the connection is initated by the main office router.  This gives you more control if there is a problem.   Unless you want to post your running config with IP addresses and passwords commented out, I am guessing the 7206 initiates.  In which case, the config lines offered by avalenzuela:are 100% correct.
0
 
joea99Author Commented:
Clearly, I am not explaining myself properly, or I am not grasping what you guys are telling me.   I should have explained at the beginning  that I did not set up the existing VPN's and am not familiar with PIX or Netopia.  Hence, you guys may granting too much credit/fore knowledge to me.  

I realize a VPN does not appear fully formed.  Certainly, each side must "negotiate" with the other, to form the connection.  

Yet, in my use of the GUI at the PIX end, and "text menu" configuration tool at the Netopia end, I did not see anything that suggested that one side or the other was the "initiator".   Maybe that is implicit in some setting, but I don't know of it.

In any event, the "error" I originally posted occurs when trying to "save" the new PIX config, for the 5th VPN. Not, apparently, when trying to "initiate" the VPN.  That's what I gather, anyway, from what the PIX GUI shows.   I can understand that error, at that point, (I think) if the remote IP is not identified.

But, my preliminary research indicated this was a known issue with PIX and could be solved in various ways.  But with dire consequences if not done correctly, such as stopping *all* PIX traffic. Hence, I seek guidance.

Since I have no idea, at present, how to determine which end is "initiating" the connection, I am at a stand still.

But anticipating a breakthru -

"crypto map newmap <cryptomapID> match address <Address list of IPs on remote end>"

The "newmap" command is where one sets "cryptomapID" ?

"<Address list . . . >" is where one sets the IP ?  In my case, it is a "list" of one, the single public IP?

"crypto map newmap <cryptomapID> set peer <Remote IP>"

This one is a no brainer.  Easy for me, one might say.

"crypto map newmap <cryptomapID> set transform-set myset"

Where is "myset" defined?  And what parameters go into it?

Thanks all, for your understanding.
0
 
joea99Author Commented:
After reviewing avalenzuela:'s comments, I think he's telling me all I need to know.  But additional enlightenment is welcome.
0
 
Rick HobbsRETIREDCommented:
yes
newmap=newcryptomapid
yes
it is a list of one
myset = the word "myset", it is not a value and it is not previously defined.
 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now