Solved

site-site : [ERR]crypto map outside_map

Posted on 2008-10-10
4
807 Views
Last Modified: 2012-05-05
G'day peoples,

I am trying to setup a PIX 515e for only the second time, I am quite new to this. I connect to the PIX through the PDM version 3. I am having issues creating a site-site vpn link. I used the VPN wizard answered all the questions and then got the following message. We have about 5 other site-site vpns that work, I just can't see what i am doing wrong on this one. Thank you for you time and feel free to ask for more info.


[OK] no isakmp key *** address 80.219.xxx.xxx
[OK] isakmp key mykey address 80.219.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
[OK] access-list inside_nat0_outbound line 8 permit ip 192.168.1.0 255.255.255.0  192.168.10.0 255.255.255.0
[OK] nat (inside) 0 access-list inside_nat0_outbound
[OK] access-list outside_cryptomap_220 permit ip 192.168.1.0 255.255.255.0  192.168.10.0 255.255.255.0
[ERR]crypto map outside_map 220 set peer 80.219.xxx.xxx
      WARNING: This crypto map is incomplete.
      To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map outside_map 220 match address outside_cryptomap_220
[OK] crypto map outside_map 220 set transform-set ESP-3DES-MD5
[OK] crypto map outside_map 220 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map outside_map interface outside
[OK] sysopt connection permit-ipsec
0
Comment
Question by:Carpe--Diem
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 22690232
That is a normal message that you get when you first put in a crypto map statement.  It is just basically warning you that you have to put in additional commands after it to make the tunnel come functional.  The very next command that is entered after the error message is the one that it is looking for (the "match address" crypto map statement), so it should be OK after that.

You should be able to go to the File menu and choose "Show Running Configuration in New Window" to get the CLI configuration output.  Look for the commands you posted above and make sure they are all there.  Post the running config statements that start with "isakmp" and "crypto" and let's have a look.

Also, have you tried pinging hosts on the remote side of the tunnel?  This should bring the tunnel up if it is not up already.  If so, what is the output of the "show crypto isakmp sa" and "show crypto ipsec sa" commands?
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22690347
on your 515 can you pull the version information and see what the licensing is for that device?

It may be that if you have 5 tunnels already configured on that device that you are only licensed for 5 tunnels and can't create anymore

Otherwise, for some reason it is not taking the peer address you are putting in the wizard and it's not creating an access list for that peer.
0
 
LVL 1

Author Comment

by:Carpe--Diem
ID: 22690579
thank you, i am now happy thats it set up correctly. I will no for sure next week as i have to create another connection. I have pinged external ip but no response, going to call network admin next week to confirm he has given me correct details.

This is where it gets a bit more complicated. normally site-site links connect to a router on a standard phone line. This site is in a managed office block. So i was given a external ip address which forwards to an internal building ip address, which is static address of my router, which in return creates a local network for my staff.

web - 80.219.xxx.xxx - 123.123.123.123 - 192.168.10.0

what ports needs to be open to ensure traffic get through. I can connect back to HQ using a software VPN from my laptop (192.168.10.0)  so would that mean ports are open ?

0
 
LVL 1

Author Comment

by:Carpe--Diem
ID: 22690646
hold on..

Licensed Features
Encryption 3DES-AES
Failover: Disabled
Max Physical Interfaces: 3
Inside hosts: unlimited
IKE Peers: unlimted
max interfaces: 5

VPN Status
IKE tunnesl 9
IPSec Tunnels: 3

whats does all not mean? we have software VPN connections and site-ste connections
how to i check if its created an "access list for peer"
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Air AP 6 42
Difference between Cisco Multichassis Etherchannel and VSL 6 58
VTP / VLANs and Sub-Interfaces 4 30
nexus filter logs 3 29
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now