09-25-2008 06:18 PM - edited 02-21-2020 03:57 PM
Hi All,
I am having problems setting up a VPN between our PIX and a customers Nortel firewall.
When I am trying to setup the crypto map I specify;
cnst-corp-fw-01(config)# crypto map outside_map 60 ipsec-isakmp
ERROR: % Incomplete command
cnst-corp-fw-01(config)# crypto map outside_map 60 ipsec-isakmp ?
configure mode commands/options:
dynamic Entry is a dynamic map
The problem is that this is a site to site VPN so I don't understand why I must need the dynamic map.
I did google this issue and had a look in these forums prior to posting but didn't have any luck finding an answer.
I'm not really sure what I will need to provide to help resolve this as I am still learning the PIX commands and don't really have anyone to guide me, so please let me know if you need further info.
Thanks,
Mark
09-25-2008 06:41 PM
This is what I have been trying to add;
name 203.2.2.2 toll_melb_peer
name 10.66.66.1 toll_pythia_db
name 10.64.47.58 toll_P6dov-pr7_tx
name 10.64.47.66 toll_P6dov-tst7_tx
object-group network toll_hosts
desc Toll hosts
network-object host toll_pythia_db
network-object host toll_P6dov-pr7_tx
network-object host toll_P6dov-tst7_tx
object-group network toll_ecn_nat_hosts
desc Toll IPs to NAT NS LAN to
network-object 172.25.232.0 255.255.255.248
object-group service toll_tcp_ports tcp
description Allowed TCP ports to toll
port-object eq 22
port-object eq 161
port-object eq 162
access-list inside_nat0_outbound extended permit tcp object-group toll_ecn_nat_hosts object-group toll_hosts
access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts eq ssh object-group toll_hosts
access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts eq 1521 host toll_pythia_db
access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts host toll_P6dov-pr7_tx object-group toll_tcp_ports
access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts host toll_P6dov-tst7_tx object-group toll_tcp_ports
access-list outside_cryptomap_60 extended permit tcp NS_LAN 255.255.252.0 object-group toll_hosts
access-list toll-ecn-nat extended permit permit tcp NS_LAN 255.255.252.0 object-group toll_hosts
global (outside) 8 172.25.232.0 netmask 255.255.255.248
nat (inside) 8 access-list toll-ecn-nat
crypto map outside_map 60 set peer toll_melb_peer
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set pfs group2
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 60 set security-association lifetime seconds 86400
crypto isakmp key pskgoeshere address 203.2.2.2 netmask 255.255.255.255
There is already a few VPNs setup, and an existing isakmp policy this will be able to use.
09-25-2008 06:45 PM
It looks like you're using OS 7 or higher for the PIX.
Try:
crypto map outside_map 60 set peer {peer}
crypto map outside_map 60 set transform-set {transform}
crypto map outside_map 60 match address {access list}
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide