topic Re: PIX 515E: Configuration Errors at Boot Up in Network Security

PIX 515E: Configuration Errors at Boot Up

easyadstom — Mon, 11 Mar 2019 18:01:17 GMT

Hello!

We've purchased a used Cisco PIX 515E firewall that we are using to replace a previous firewall of the same model. I have successfully copied the configuration from the old unit to the new via TFTP. Everything appears to be working normally, except that on boot-up, there are several errors displayed. There are about a dozen of them, but all fall into one of two categories. Either they reference keyword "outside" as "probably missing" or they say "crypto map" has "incomplete entries". Samples of each type are posted below.

Can someone point me in the right direction as to what these errors mean and how to correct them?

Thanks!

- Tom

EXAMPLE 1:

*** Output from config line 493, "nat (inside) 1 192.168.4..."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

EXAMPLE 2:

*** Output from config line 498, "nat (inside) 1 192.168.9..."
........WARNING: crypto map has incomplete entries

Re: PIX 515E: Configuration Errors at Boot Up

edadios — Sat, 19 Jun 2010 02:48:02 GMT

*** Output from config line 493, "nat (inside) 1 192.168.4..."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

Maybe your inside interface is configured with security level 0

You can configure it with security level 100, but then, if you say it is working for now, you have to understand the impact to traffic flow when you change the security level of an interface.

Depending on what version of code you are running :

for version 6.x , you will have to do something like

"nameif e1 inside sec 100"

documentation here :

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1026054

for 7.x and later

interface e1

nameif inside

sec 100

documentation here:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html#wp1051819

*** Output from config line 498, "nat (inside) 1 192.168.9..."
........WARNING: crypto map has incomplete entries

This suggest you have incomplete ipsec vpn configuration.
If you do not use ipsec vpn, you can look for the command that binds 
the crypto map to the outide interface, and issue a no in front of that command.

example :
no crypto map nameofmap interface outside


If you include the complete configuration and all the errors, we can possible clean it up more.

Regards,

Re: PIX 515E: Configuration Errors at Boot Up

easyadstom — Sat, 19 Jun 2010 03:12:57 GMT

Thanks! I checked and the "inside" interface is indeed set to a security of 100. Here's the output of "show nameif" at the "configure terminal" prompt:

Ethernet0                outside                    0
Ethernet1                inside                   100
Ethernet2                intf2                      4

Regarding the VPN, a VPN has been used on our network in the past, but is not presently used, so disabling that command would be fine.

I'm happy to post the complete configuration, though it is rather massive in size. Not sure what the proper protocol is here for posting large amounts of text, so I'm attaching it as a text file.

Lastly, here is the complete set of error messages:

...........WARNING: Enabling the logging ftp-bufferwrap feature could cause a
         depletion of all available memory under high syslog
         rates. Please adjust your buffered logging level
         appropriately
*** Output from config line 390, "logging ftp-bufferwrap"
..WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 490, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 491, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 492, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 493, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 494, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 495, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 496, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 497, "nat (outside) 1 192.168...."
.WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 498, "nat (outside) 1 192.168...."
.......WARNING: crypto map has incomplete entries
*** Output from config line 684, "crypto map outside_map i..."
WARNING: crypto map has incomplete entries
*** Output from config line 686, "crypto map inside_map in..."
.

Thanks again!

- Tom

Re: PIX 515E: Configuration Errors at Boot Up

edadios — Sat, 19 Jun 2010 04:19:24 GMT

All your NAT and static commands are wrong. I am not sure how you say things work.

All your "nat (outside)" should instead be "nat (inside)"

All your "static (outside,inside)" should have been "static (inside,outside)"

You will have copy them all to notepad. put "no" in front of each to remove them, then correct each one of them and paste the corrected lines.

example

no nat (outside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.255.0

For the statics, do the same

no static (outside,inside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255

static (inside,outside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255

To remove the crypto config you can do :

clear config crypto

clear config isakmp

Regards,

Re: PIX 515E: Configuration Errors at Boot Up

easyadstom — Wed, 23 Jun 2010 16:41:15 GMT

Thank you very much for your help!

Once I realized that the "inside" and "outside" designations had somehow become transposed, I re-transferred the configuration from the old unit. It correctly transferred with the interfaces set correctly. I must have messed something up the first time around. The firewall is now working normally.

Thanks again!

- Tom