12-30-2006 02:48 PM - edited 02-21-2020 02:47 PM
Hello,
i have an problem while configurating two VPN Zunnels on a PIX501 Ver. 6.3
The Problem occurs always in the moment when i configured the second VPN in the PDM an Apply it ti the PIX.
The Error occours with Net-to-Net Tunnels with PreSharedKeys and also with Remote VPN Tunnels as second Definition.
The Error-message in the PDM:
------------------------
[OK] isakmp key cisco address 192.168.100.80 netmask 255.255.255.255 no-xauth no-config-mode
[OK] name 192.168.134.0 LAN_Malta
[OK] pdm location 192.168.134.0 255.255.255.0 outside
[OK] access-list inside_outbound_nat0_acl line 2 permit ip host 192.168.137.1 192.168.134.0 255.255.255.0
[OK] nat (inside) 0 access-list inside_outbound_nat0_acl
[OK] access-list outside_cryptomap_20 permit ip host 192.168.137.1 192.168.134.0 255.255.255.0
[ERR]crypto map outside_map 20 set peer 192.168.100.80
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map outside_map 20 match address outside_cryptomap_20
[OK] crypto map outside_map 20 set transform-set ESP-3DES-MD5
[OK] crypto map outside_map 20 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map outside_map interface outside
[OK] sysopt connection permit-ipsec
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname HAUPT
domain-name myDomain.com
names
name 192.168.137.1 SBS
name 192.168.134.0 LAN_VPN1
name 192.168.135.0 LAN_VPN2
access-list inside_outbound_nat0_acl permit ip 192.168.137.0 255.255.255.0 LAN_VPN1 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.137.0 255.255.255.0 LAN_VPN2 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.137.0 255.255.255.0 LAN_VPN1 255.255.255.0
access-list inside_access_in permit ip any any
access-list outside_cryptomap_40 remark VPN zu Realtek
access-list outside_cryptomap_40 permit ip 192.168.137.0 255.255.255.0 LAN_VPN2 255.255.255.0
access-list outside_access_in permit ip LAN_VPN1 255.255.255.0 any
access-list outside_access_in permit ip LAN_VPN2 255.255.255.0 any
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.137.254 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 192.168.100.80
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 192.168.80.80
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 192.168.100.80 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 192.168.80.80 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
01-03-2007 12:08 AM
Are you saying that the tunnels don't work or are you just concerned about the Error message ?.
If it is just the error message then it's not a problem. You always get this whether from the command line or via the PDM. As soon as you specify a peer you get the warning about an incomplete crypto map. Once you have specified the VPN access-list to go with it (the match address config line) then it's fine.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide