Carpe--Diem
asked on
site-site : [ERR]crypto map outside_map
G'day peoples,
I am trying to setup a PIX 515e for only the second time, I am quite new to this. I connect to the PIX through the PDM version 3. I am having issues creating a site-site vpn link. I used the VPN wizard answered all the questions and then got the following message. We have about 5 other site-site vpns that work, I just can't see what i am doing wrong on this one. Thank you for you time and feel free to ask for more info.
[OK] no isakmp key *** address 80.219.xxx.xxx
[OK] isakmp key mykey address 80.219.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
[OK] access-list inside_nat0_outbound line 8 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
[OK] nat (inside) 0 access-list inside_nat0_outbound
[OK] access-list outside_cryptomap_220 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
[ERR]crypto map outside_map 220 set peer 80.219.xxx.xxx
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map outside_map 220 match address outside_cryptomap_220
[OK] crypto map outside_map 220 set transform-set ESP-3DES-MD5
[OK] crypto map outside_map 220 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map outside_map interface outside
[OK] sysopt connection permit-ipsec
I am trying to setup a PIX 515e for only the second time, I am quite new to this. I connect to the PIX through the PDM version 3. I am having issues creating a site-site vpn link. I used the VPN wizard answered all the questions and then got the following message. We have about 5 other site-site vpns that work, I just can't see what i am doing wrong on this one. Thank you for you time and feel free to ask for more info.
[OK] no isakmp key *** address 80.219.xxx.xxx
[OK] isakmp key mykey address 80.219.xxx.xxx netmask 255.255.255.255 no-xauth no-config-mode
[OK] access-list inside_nat0_outbound line 8 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
[OK] nat (inside) 0 access-list inside_nat0_outbound
[OK] access-list outside_cryptomap_220 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
[ERR]crypto map outside_map 220 set peer 80.219.xxx.xxx
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map outside_map 220 match address outside_cryptomap_220
[OK] crypto map outside_map 220 set transform-set ESP-3DES-MD5
[OK] crypto map outside_map 220 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map outside_map interface outside
[OK] sysopt connection permit-ipsec
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you, i am now happy thats it set up correctly. I will no for sure next week as i have to create another connection. I have pinged external ip but no response, going to call network admin next week to confirm he has given me correct details.
This is where it gets a bit more complicated. normally site-site links connect to a router on a standard phone line. This site is in a managed office block. So i was given a external ip address which forwards to an internal building ip address, which is static address of my router, which in return creates a local network for my staff.
web - 80.219.xxx.xxx - 123.123.123.123 - 192.168.10.0
what ports needs to be open to ensure traffic get through. I can connect back to HQ using a software VPN from my laptop (192.168.10.0) so would that mean ports are open ?
This is where it gets a bit more complicated. normally site-site links connect to a router on a standard phone line. This site is in a managed office block. So i was given a external ip address which forwards to an internal building ip address, which is static address of my router, which in return creates a local network for my staff.
web - 80.219.xxx.xxx - 123.123.123.123 - 192.168.10.0
what ports needs to be open to ensure traffic get through. I can connect back to HQ using a software VPN from my laptop (192.168.10.0) so would that mean ports are open ?
ASKER
hold on..
Licensed Features
Encryption 3DES-AES
Failover: Disabled
Max Physical Interfaces: 3
Inside hosts: unlimited
IKE Peers: unlimted
max interfaces: 5
VPN Status
IKE tunnesl 9
IPSec Tunnels: 3
whats does all not mean? we have software VPN connections and site-ste connections
how to i check if its created an "access list for peer"
Licensed Features
Encryption 3DES-AES
Failover: Disabled
Max Physical Interfaces: 3
Inside hosts: unlimited
IKE Peers: unlimted
max interfaces: 5
VPN Status
IKE tunnesl 9
IPSec Tunnels: 3
whats does all not mean? we have software VPN connections and site-ste connections
how to i check if its created an "access list for peer"
It may be that if you have 5 tunnels already configured on that device that you are only licensed for 5 tunnels and can't create anymore
Otherwise, for some reason it is not taking the peer address you are putting in the wizard and it's not creating an access list for that peer.