site-site : [ERR]crypto map outside_map

G'day peoples,

I am trying to setup a PIX 515e for only the second time, I am quite new to this. I connect to the PIX through the PDM version 3. I am having issues creating a site-site vpn link. I used the VPN wizard answered all the questions and then got the following message. We have about 5 other site-site vpns that work, I just can't see what i am doing wrong on this one. Thank you for you time and feel free to ask for more info.


[OK] no isakmp key *** address 80.219.xxx.xxx
[OK] isakmp key mykey address 80.219.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
[OK] access-list inside_nat0_outbound line 8 permit ip 192.168.1.0 255.255.255.0  192.168.10.0 255.255.255.0
[OK] nat (inside) 0 access-list inside_nat0_outbound
[OK] access-list outside_cryptomap_220 permit ip 192.168.1.0 255.255.255.0  192.168.10.0 255.255.255.0
[ERR]crypto map outside_map 220 set peer 80.219.xxx.xxx
      WARNING: This crypto map is incomplete.
      To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map outside_map 220 match address outside_cryptomap_220
[OK] crypto map outside_map 220 set transform-set ESP-3DES-MD5
[OK] crypto map outside_map 220 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map outside_map interface outside
[OK] sysopt connection permit-ipsec
LVL 1
Carpe--DiemAsked:
Who is Participating?
 
batry_boyConnect With a Mentor Commented:
That is a normal message that you get when you first put in a crypto map statement.  It is just basically warning you that you have to put in additional commands after it to make the tunnel come functional.  The very next command that is entered after the error message is the one that it is looking for (the "match address" crypto map statement), so it should be OK after that.

You should be able to go to the File menu and choose "Show Running Configuration in New Window" to get the CLI configuration output.  Look for the commands you posted above and make sure they are all there.  Post the running config statements that start with "isakmp" and "crypto" and let's have a look.

Also, have you tried pinging hosts on the remote side of the tunnel?  This should bring the tunnel up if it is not up already.  If so, what is the output of the "show crypto isakmp sa" and "show crypto ipsec sa" commands?
0
 
ckozloskiCommented:
on your 515 can you pull the version information and see what the licensing is for that device?

It may be that if you have 5 tunnels already configured on that device that you are only licensed for 5 tunnels and can't create anymore

Otherwise, for some reason it is not taking the peer address you are putting in the wizard and it's not creating an access list for that peer.
0
 
Carpe--DiemAuthor Commented:
thank you, i am now happy thats it set up correctly. I will no for sure next week as i have to create another connection. I have pinged external ip but no response, going to call network admin next week to confirm he has given me correct details.

This is where it gets a bit more complicated. normally site-site links connect to a router on a standard phone line. This site is in a managed office block. So i was given a external ip address which forwards to an internal building ip address, which is static address of my router, which in return creates a local network for my staff.

web - 80.219.xxx.xxx - 123.123.123.123 - 192.168.10.0

what ports needs to be open to ensure traffic get through. I can connect back to HQ using a software VPN from my laptop (192.168.10.0)  so would that mean ports are open ?

0
 
Carpe--DiemAuthor Commented:
hold on..

Licensed Features
Encryption 3DES-AES
Failover: Disabled
Max Physical Interfaces: 3
Inside hosts: unlimited
IKE Peers: unlimted
max interfaces: 5

VPN Status
IKE tunnesl 9
IPSec Tunnels: 3

whats does all not mean? we have software VPN connections and site-ste connections
how to i check if its created an "access list for peer"
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.