Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
2
Replies

pix 515 warning

dsdtnt1957
Level 1
Level 1

‎03-04-2006 06:55 PM - edited ‎02-21-2020 12:45 AM

I get this warning when setting up site to site vpn using pdm 3.0 on pix 515 ver 6.3(4)

[OK] isakmp key @############## address 66.45.80.156 netmask 255.255.255.255 no-xauth no-config-mode

[OK] pdm location 10.128.174.128 255.255.255.224 outside

[OK] pdm location 10.128.174.192 255.255.255.224 outside

[OK] access-list 100 line 3 permit ip 192.168.1.0 255.255.255.0 10.128.174.128 255.255.255.224

[OK] access-list 100 line 4 permit ip 192.168.1.0 255.255.255.0 10.128.174.192 255.255.255.224

[OK] nat (inside) 0 access-list 100

[OK] access-list outside_cryptomap_31 permit ip 192.168.1.0 255.255.255.0 10.128.174.128 255.255.255.224

[OK] access-list outside_cryptomap_31 permit ip 192.168.1.0 255.255.255.0 10.128.174.192 255.255.255.224

[ERR]crypto map newmap 31 set peer 66.45.80.156

WARNING: This crypto map is incomplete. To remedy the situation add a peer and a valid access-list to this crypto map.

[OK] crypto map newmap 31 match address outside_cryptomap_31

[OK] crypto map newmap 31 set transform-set basis

[OK] crypto map newmap 31 set security-association lifetime seconds 28800 kilobytes 4608000

[OK] crypto map newmap interface outside

[OK] sysopt connection permit-ipsec

everything looks ok when i go through the steps.

0 Helpful
2 Replies 2

thamdani
Cisco Employee
Cisco Employee

‎03-05-2006 10:11 PM

Hi,

With every peer we need to add a crypto access list which tells the pix what all traffic needs to be send through that tunnel for that peer.

This warning comes if you define a peer and match list is not defined.

I can see that you have defined the match address after defining the peer so that is why you got that warning.

crypto map newmap 31 match address outside_cryptomap_31

You dont need to worry,it looks fine.check the config and you should see both the set peer and match address in the crypto config.

hope this helps.

Tanveer

0 Helpful

dsdtnt1957
Level 1
Level 1
In response to thamdani

‎03-06-2006 06:30 AM

So I dont need to go back and add another peer and access list ?

Then why does my tunel not come up

Result of firewall command: "sh crypto isakmp sa"

Total : 0

Embryonic : 0

dst src state pending created

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card