Solved

site-site : [ERR]crypto map outside_map

Posted on 2008-10-10
4
805 Views
Last Modified: 2012-05-05
G'day peoples,

I am trying to setup a PIX 515e for only the second time, I am quite new to this. I connect to the PIX through the PDM version 3. I am having issues creating a site-site vpn link. I used the VPN wizard answered all the questions and then got the following message. We have about 5 other site-site vpns that work, I just can't see what i am doing wrong on this one. Thank you for you time and feel free to ask for more info.


[OK] no isakmp key *** address 80.219.xxx.xxx
[OK] isakmp key mykey address 80.219.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
[OK] access-list inside_nat0_outbound line 8 permit ip 192.168.1.0 255.255.255.0  192.168.10.0 255.255.255.0
[OK] nat (inside) 0 access-list inside_nat0_outbound
[OK] access-list outside_cryptomap_220 permit ip 192.168.1.0 255.255.255.0  192.168.10.0 255.255.255.0
[ERR]crypto map outside_map 220 set peer 80.219.xxx.xxx
      WARNING: This crypto map is incomplete.
      To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map outside_map 220 match address outside_cryptomap_220
[OK] crypto map outside_map 220 set transform-set ESP-3DES-MD5
[OK] crypto map outside_map 220 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map outside_map interface outside
[OK] sysopt connection permit-ipsec
0
Comment
Question by:Carpe--Diem
  • 2
4 Comments
 
LVL 28

Accepted Solution

by:
batry_boy earned 500 total points
ID: 22690232
That is a normal message that you get when you first put in a crypto map statement.  It is just basically warning you that you have to put in additional commands after it to make the tunnel come functional.  The very next command that is entered after the error message is the one that it is looking for (the "match address" crypto map statement), so it should be OK after that.

You should be able to go to the File menu and choose "Show Running Configuration in New Window" to get the CLI configuration output.  Look for the commands you posted above and make sure they are all there.  Post the running config statements that start with "isakmp" and "crypto" and let's have a look.

Also, have you tried pinging hosts on the remote side of the tunnel?  This should bring the tunnel up if it is not up already.  If so, what is the output of the "show crypto isakmp sa" and "show crypto ipsec sa" commands?
0
 
LVL 4

Expert Comment

by:ckozloski
ID: 22690347
on your 515 can you pull the version information and see what the licensing is for that device?

It may be that if you have 5 tunnels already configured on that device that you are only licensed for 5 tunnels and can't create anymore

Otherwise, for some reason it is not taking the peer address you are putting in the wizard and it's not creating an access list for that peer.
0
 
LVL 1

Author Comment

by:Carpe--Diem
ID: 22690579
thank you, i am now happy thats it set up correctly. I will no for sure next week as i have to create another connection. I have pinged external ip but no response, going to call network admin next week to confirm he has given me correct details.

This is where it gets a bit more complicated. normally site-site links connect to a router on a standard phone line. This site is in a managed office block. So i was given a external ip address which forwards to an internal building ip address, which is static address of my router, which in return creates a local network for my staff.

web - 80.219.xxx.xxx - 123.123.123.123 - 192.168.10.0

what ports needs to be open to ensure traffic get through. I can connect back to HQ using a software VPN from my laptop (192.168.10.0)  so would that mean ports are open ?

0
 
LVL 1

Author Comment

by:Carpe--Diem
ID: 22690646
hold on..

Licensed Features
Encryption 3DES-AES
Failover: Disabled
Max Physical Interfaces: 3
Inside hosts: unlimited
IKE Peers: unlimted
max interfaces: 5

VPN Status
IKE tunnesl 9
IPSec Tunnels: 3

whats does all not mean? we have software VPN connections and site-ste connections
how to i check if its created an "access list for peer"
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now