06-18-2010 04:24 PM - edited 03-11-2019 11:01 AM
Hello!
We've purchased a used Cisco PIX 515E firewall that we are using to replace a previous firewall of the same model. I have successfully copied the configuration from the old unit to the new via TFTP. Everything appears to be working normally, except that on boot-up, there are several errors displayed. There are about a dozen of them, but all fall into one of two categories. Either they reference keyword "outside" as "probably missing" or they say "crypto map" has "incomplete entries". Samples of each type are posted below.
Can someone point me in the right direction as to what these errors mean and how to correct them?
Thanks!
- Tom
EXAMPLE 1:
*** Output from config line 493, "nat (inside) 1 192.168.4..."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
EXAMPLE 2:
*** Output from config line 498, "nat (inside) 1 192.168.9..."
........WARNING: crypto map has incomplete entries
Solved! Go to Solution.
06-18-2010 09:19 PM
All your NAT and static commands are wrong. I am not sure how you say things work.
All your "nat (outside)" should instead be "nat (inside)"
All your "static (outside,inside)" should have been "static (inside,outside)"
You will have copy them all to notepad. put "no" in front of each to remove them, then correct each one of them and paste the corrected lines.
example
no nat (outside) 1 192.168.0.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0
For the statics, do the same
no static (outside,inside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255
static (inside,outside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255
To remove the crypto config you can do :
clear config crypto
clear config isakmp
Regards,
06-18-2010 07:48 PM
*** Output from config line 493, "nat (inside) 1 192.168.4..."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
Maybe your inside interface is configured with security level 0
You can configure it with security level 100, but then, if you say it is working for now, you have to understand the impact to traffic flow when you change the security level of an interface.
Depending on what version of code you are running :
for version 6.x , you will have to do something like
"nameif e1 inside sec 100"
documentation here :
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1026054
for 7.x and later
interface e1
nameif inside
sec 100
documentation here:
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html#wp1051819
*** Output from config line 498, "nat (inside) 1 192.168.9..."
........WARNING: crypto map has incomplete entries
This suggest you have incomplete ipsec vpn configuration.
If you do not use ipsec vpn, you can look for the command that binds
the crypto map to the outide interface, and issue a no in front of that command.
example :
no crypto map nameofmap interface outside
If you include the complete configuration and all the errors, we can possible clean it up more.
Regards,
06-18-2010 08:12 PM
Thanks! I checked and the "inside" interface is indeed set to a security of 100. Here's the output of "show nameif" at the "configure terminal" prompt:
Ethernet0 outside 0
Ethernet1 inside 100
Ethernet2 intf2 4
Regarding the VPN, a VPN has been used on our network in the past, but is not presently used, so disabling that command would be fine.
I'm happy to post the complete configuration, though it is rather massive in size. Not sure what the proper protocol is here for posting large amounts of text, so I'm attaching it as a text file.
Lastly, here is the complete set of error messages:
...........WARNING: Enabling the logging ftp-bufferwrap feature could cause a
depletion of all available memory under high syslog
rates. Please adjust your buffered logging level
appropriately
*** Output from config line 390, "logging ftp-bufferwrap"
..WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 490, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 491, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 492, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 493, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 494, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 495, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 496, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 497, "nat (outside) 1 192.168...."
.WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 498, "nat (outside) 1 192.168...."
.......WARNING: crypto map has incomplete entries
*** Output from config line 684, "crypto map outside_map i..."
WARNING: crypto map has incomplete entries
*** Output from config line 686, "crypto map inside_map in..."
.
Thanks again!
- Tom
06-18-2010 09:19 PM
All your NAT and static commands are wrong. I am not sure how you say things work.
All your "nat (outside)" should instead be "nat (inside)"
All your "static (outside,inside)" should have been "static (inside,outside)"
You will have copy them all to notepad. put "no" in front of each to remove them, then correct each one of them and paste the corrected lines.
example
no nat (outside) 1 192.168.0.0 255.255.255.0
nat (inside) 1 192.168.0.0 255.255.255.0
For the statics, do the same
no static (outside,inside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255
static (inside,outside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255
To remove the crypto config you can do :
clear config crypto
clear config isakmp
Regards,
06-23-2010 09:41 AM
Thank you very much for your help!
Once I realized that the "inside" and "outside" designations had somehow become transposed, I re-transferred the configuration from the old unit. It correctly transferred with the interfaces set correctly. I must have messed something up the first time around. The firewall is now working normally.
Thanks again!
- Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide