Adding a 5th Site to Site VPN Netopia to PIX

Posted on 2007-07-31
Medium Priority
Last Modified: 2009-01-11
I need some assistance in adding another site to site VPN (4 already exist) using a Netopia 910 to a PIX 506e?  I fumbled thru some preliminaries, but the PIX complains (using the GUI) when trying to finalize things.

"ERR - crypto map -dyn-map20 set peer nnn.nnn.nnn.nnn
WARNING: this crypto map is incomplete - to remedy the situation add a peer and a valid access-list to this crypto map."

This seems to be a known issue, but, being unfamiliar with the Cisco CLI, I am hesitant to make any changes, especially since there are these dire warnings, in most things I have found, about how *all* traffic will cease, blah, blah.

joe a.
Question by:joea99
  • 5
  • 3
  • 2
LVL 22

Expert Comment

by:Rick Hobbs
ID: 19609961
Make sure you are running the most current firmware for the Netopia and refer to:

Good luck

Expert Comment

ID: 19613894
are you using fixed or public Ip's?

Author Comment

ID: 19616064
Each site has a public IP.  Each site has a distinct private class C subnet (192.168.n.x) (n=number unique to each location)

I will check the f/w and that link.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 19616075
BTW, the problem is (appears) to be at the Cisco end.

Accepted Solution

avalenzuela earned 2000 total points
ID: 19622190
Sorry, my last question was not formulated ok.
Are you using fixed or dynamic IPs ?  on what ends ?
What Equipment is intiating the conection ? The Cisco or the Netopia

This error appear when the Cisco is intiating the conection and is missing the remote Ip address and the ip ranges that shuold go trough the VPN

This is what I use to start a vpn from a cisco pix...
crypto map newmap <cryptomapID> ipsec-isakmp
crypto map newmap <cryptomapID> match address <Address list of IPs on remote end>
crypto map newmap <cryptomapID> set peer <Remote IP>
crypto map newmap <cryptomapID> set transform-set myset

seems like you are missing line 2,3

If Pix is receiving the conecttion, config is a little different..

Author Comment

ID: 19630566
Each side has a "public" static IP.  Each side also has, locally, private IP's for the local network(s), that are NAT'd.

I am afraid I don't know what you mean by who initiates the connection.  
LVL 22

Expert Comment

by:Rick Hobbs
ID: 19633464
A VPN isn't just "there".  The actual VPN must be initiated by a client.  Either the Netopia contacts the 7206 or the 7206 contacts the Netopia.  In many cases, the connection is initated by the main office router.  This gives you more control if there is a problem.   Unless you want to post your running config with IP addresses and passwords commented out, I am guessing the 7206 initiates.  In which case, the config lines offered by avalenzuela:are 100% correct.

Author Comment

ID: 19633863
Clearly, I am not explaining myself properly, or I am not grasping what you guys are telling me.   I should have explained at the beginning  that I did not set up the existing VPN's and am not familiar with PIX or Netopia.  Hence, you guys may granting too much credit/fore knowledge to me.  

I realize a VPN does not appear fully formed.  Certainly, each side must "negotiate" with the other, to form the connection.  

Yet, in my use of the GUI at the PIX end, and "text menu" configuration tool at the Netopia end, I did not see anything that suggested that one side or the other was the "initiator".   Maybe that is implicit in some setting, but I don't know of it.

In any event, the "error" I originally posted occurs when trying to "save" the new PIX config, for the 5th VPN. Not, apparently, when trying to "initiate" the VPN.  That's what I gather, anyway, from what the PIX GUI shows.   I can understand that error, at that point, (I think) if the remote IP is not identified.

But, my preliminary research indicated this was a known issue with PIX and could be solved in various ways.  But with dire consequences if not done correctly, such as stopping *all* PIX traffic. Hence, I seek guidance.

Since I have no idea, at present, how to determine which end is "initiating" the connection, I am at a stand still.

But anticipating a breakthru -

"crypto map newmap <cryptomapID> match address <Address list of IPs on remote end>"

The "newmap" command is where one sets "cryptomapID" ?

"<Address list . . . >" is where one sets the IP ?  In my case, it is a "list" of one, the single public IP?

"crypto map newmap <cryptomapID> set peer <Remote IP>"

This one is a no brainer.  Easy for me, one might say.

"crypto map newmap <cryptomapID> set transform-set myset"

Where is "myset" defined?  And what parameters go into it?

Thanks all, for your understanding.

Author Comment

ID: 19635067
After reviewing avalenzuela:'s comments, I think he's telling me all I need to know.  But additional enlightenment is welcome.
LVL 22

Expert Comment

by:Rick Hobbs
ID: 19635103
it is a list of one
myset = the word "myset", it is not a value and it is not previously defined.

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question