Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

site-site : [ERR]crypto map outside_map

Posted on 2008-10-10
4
Medium Priority
?
817 Views
Last Modified: 2012-05-05
G'day peoples,

I am trying to setup a PIX 515e for only the second time, I am quite new to this. I connect to the PIX through the PDM version 3. I am having issues creating a site-site vpn link. I used the VPN wizard answered all the questions and then got the following message. We have about 5 other site-site vpns that work, I just can't see what i am doing wrong on this one. Thank you for you time and feel free to ask for more info.


[OK] no isakmp key *** address 80.219.xxx.xxx
[OK] isakmp key mykey address 80.219.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
[OK] access-list inside_nat0_outbound line 8 permit ip 192.168.1.0 255.255.255.0  192.168.10.0 255.255.255.0
[OK] nat (inside) 0 access-list inside_nat0_outbound
[OK] access-list outside_cryptomap_220 permit ip 192.168.1.0 255.255.255.0  192.168.10.0 255.255.255.0
[ERR]crypto map outside_map 220 set peer 80.219.xxx.xxx
      WARNING: This crypto map is incomplete.
      To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map outside_map 220 match address outside_cryptomap_220
[OK] crypto map outside_map 220 set transform-set ESP-3DES-MD5
[OK] crypto map outside_map 220 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map outside_map interface outside
[OK] sysopt connection permit-ipsec
0
Comment
Question by:Carpe--Diem
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 1500 total points
ID: 22690232
That is a normal message that you get when you first put in a crypto map statement.  It is just basically warning you that you have to put in additional commands after it to make the tunnel come functional.  The very next command that is entered after the error message is the one that it is looking for (the "match address" crypto map statement), so it should be OK after that.

You should be able to go to the File menu and choose "Show Running Configuration in New Window" to get the CLI configuration output.  Look for the commands you posted above and make sure they are all there.  Post the running config statements that start with "isakmp" and "crypto" and let's have a look.

Also, have you tried pinging hosts on the remote side of the tunnel?  This should bring the tunnel up if it is not up already.  If so, what is the output of the "show crypto isakmp sa" and "show crypto ipsec sa" commands?
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22690347
on your 515 can you pull the version information and see what the licensing is for that device?

It may be that if you have 5 tunnels already configured on that device that you are only licensed for 5 tunnels and can't create anymore

Otherwise, for some reason it is not taking the peer address you are putting in the wizard and it's not creating an access list for that peer.
0
 
LVL 1

Author Comment

by:Carpe--Diem
ID: 22690579
thank you, i am now happy thats it set up correctly. I will no for sure next week as i have to create another connection. I have pinged external ip but no response, going to call network admin next week to confirm he has given me correct details.

This is where it gets a bit more complicated. normally site-site links connect to a router on a standard phone line. This site is in a managed office block. So i was given a external ip address which forwards to an internal building ip address, which is static address of my router, which in return creates a local network for my staff.

web - 80.219.xxx.xxx - 123.123.123.123 - 192.168.10.0

what ports needs to be open to ensure traffic get through. I can connect back to HQ using a software VPN from my laptop (192.168.10.0)  so would that mean ports are open ?

0
 
LVL 1

Author Comment

by:Carpe--Diem
ID: 22690646
hold on..

Licensed Features
Encryption 3DES-AES
Failover: Disabled
Max Physical Interfaces: 3
Inside hosts: unlimited
IKE Peers: unlimted
max interfaces: 5

VPN Status
IKE tunnesl 9
IPSec Tunnels: 3

whats does all not mean? we have software VPN connections and site-ste connections
how to i check if its created an "access list for peer"
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question