Unable to add ipsec-isakmp to a crypto map on PIX515

Unanswered Question
Sep 25th, 2008
User Badges:

Hi All,

I am having problems setting up a VPN between our PIX and a customers Nortel firewall.


When I am trying to setup the crypto map I specify;

cnst-corp-fw-01(config)# crypto map outside_map 60 ipsec-isakmp

ERROR: % Incomplete command

cnst-corp-fw-01(config)# crypto map outside_map 60 ipsec-isakmp ?


configure mode commands/options:

dynamic Entry is a dynamic map


The problem is that this is a site to site VPN so I don't understand why I must need the dynamic map.


I did google this issue and had a look in these forums prior to posting but didn't have any luck finding an answer.

I'm not really sure what I will need to provide to help resolve this as I am still learning the PIX commands and don't really have anyone to guide me, so please let me know if you need further info.



Thanks,

Mark

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
markwalkom Thu, 09/25/2008 - 18:41
User Badges:

This is what I have been trying to add;

name 203.2.2.2 toll_melb_peer

name 10.66.66.1 toll_pythia_db

name 10.64.47.58 toll_P6dov-pr7_tx

name 10.64.47.66 toll_P6dov-tst7_tx


object-group network toll_hosts

desc Toll hosts

network-object host toll_pythia_db

network-object host toll_P6dov-pr7_tx

network-object host toll_P6dov-tst7_tx

object-group network toll_ecn_nat_hosts

desc Toll IPs to NAT NS LAN to

network-object 172.25.232.0 255.255.255.248

object-group service toll_tcp_ports tcp

description Allowed TCP ports to toll

port-object eq 22

port-object eq 161

port-object eq 162


access-list inside_nat0_outbound extended permit tcp object-group toll_ecn_nat_hosts object-group toll_hosts

access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts eq ssh object-group toll_hosts

access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts eq 1521 host toll_pythia_db

access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts host toll_P6dov-pr7_tx object-group toll_tcp_ports

access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts host toll_P6dov-tst7_tx object-group toll_tcp_ports

access-list outside_cryptomap_60 extended permit tcp NS_LAN 255.255.252.0 object-group toll_hosts

access-list toll-ecn-nat extended permit permit tcp NS_LAN 255.255.252.0 object-group toll_hosts


global (outside) 8 172.25.232.0 netmask 255.255.255.248

nat (inside) 8 access-list toll-ecn-nat


crypto map outside_map 60 set peer toll_melb_peer

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set pfs group2

crypto map outside_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 60 set security-association lifetime seconds 86400

crypto isakmp key pskgoeshere address 203.2.2.2 netmask 255.255.255.255



There is already a few VPNs setup, and an existing isakmp policy this will be able to use.

BrianMitchellTX Thu, 09/25/2008 - 18:45
User Badges:

It looks like you're using OS 7 or higher for the PIX.


Try:

crypto map outside_map 60 set peer {peer}

crypto map outside_map 60 set transform-set {transform}

crypto map outside_map 60 match address {access list}


Actions

This Discussion