PIX 515E: Configuration Errors at Boot Up

Answered Question
Jun 18th, 2010

Hello!

We've  purchased a used Cisco PIX 515E firewall that we are using to replace a  previous firewall of the same model. I have successfully copied the  configuration from the old unit to the new via TFTP. Everything appears  to be working normally, except that on boot-up, there are several errors  displayed. There are about a dozen of them, but all fall into one of  two categories. Either they reference keyword "outside" as "probably  missing" or they say "crypto map" has "incomplete entries". Samples of  each type are posted below.

Can someone point me in the right  direction as to what these errors mean and how to correct them?

Thanks!

-  Tom

EXAMPLE 1:

*** Output from config line 493, "nat (inside) 1 192.168.4..."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

EXAMPLE 2:

*** Output from config line 498, "nat (inside) 1 192.168.9..."
........WARNING: crypto map has incomplete entries
I have this problem too.
0 votes
Correct Answer by edadios about 6 years 5 months ago

All your NAT and static commands are wrong. I am not sure how you say things work.

All your "nat (outside)" should instead be "nat (inside)"

All your "static (outside,inside)" should have been "static (inside,outside)"

You will have copy them all to notepad. put "no" in front of each to remove them, then correct each one of them and paste the corrected lines.

example

no nat (outside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.255.0

For the statics, do the same

no static (outside,inside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255

static (inside,outside) tcp x.x.xxx.xxx https XXXX https netmask  255.255.255.255

To remove the crypto config you can do :

clear config crypto

clear config isakmp

Regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
edadios Fri, 06/18/2010 - 19:48
*** Output from config line 493, "nat (inside) 1 192.168.4..."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

Maybe your inside interface is configured with security level 0

You can configure it with security level 100, but then, if you say it is working for now, you have to understand the impact to traffic flow when you change the security level of an interface.

Depending on what version of  code you are running :

for version 6.x , you will have to do something like

"nameif e1 inside sec 100"

documentation here :

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1026054

for 7.x and later

interface e1

nameif inside

sec 100

documentation here:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html#wp1051819

*** Output from config line 498, "nat (inside) 1 192.168.9..."
........WARNING: crypto map has incomplete entries

This suggest you have incomplete ipsec vpn configuration.
If you do not use ipsec vpn, you can look for the command that binds
the crypto map to the outide interface, and issue a no in front of that command.

example :
no crypto map nameofmap interface outside


If you include the complete configuration and all the errors, we can possible clean it up more.

Regards,
easyadstom Fri, 06/18/2010 - 20:12

Thanks! I checked and the "inside" interface is indeed set to a security of 100. Here's the output of "show nameif" at the "configure terminal" prompt:

Ethernet0                outside                    0
Ethernet1                inside                   100
Ethernet2                intf2                      4

Regarding the VPN, a VPN has been used on our network in the past, but is not presently used, so disabling that command would be fine.

I'm happy to post the complete configuration, though it is rather massive in size. Not sure what the proper protocol is here for posting large amounts of text, so I'm attaching it as a text file.

Lastly, here is the complete set of error messages:

...........WARNING: Enabling the logging ftp-bufferwrap feature could cause a
         depletion of all available memory under high syslog
         rates. Please adjust your buffered logging level
         appropriately
*** Output from config line 390, "logging ftp-bufferwrap"
..WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 490, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 491, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 492, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 493, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 494, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 495, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 496, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 497, "nat (outside) 1 192.168...."
.WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 498, "nat (outside) 1 192.168...."
.......WARNING: crypto map has incomplete entries
*** Output from config line 684, "crypto map outside_map i..."
WARNING: crypto map has incomplete entries
*** Output from config line 686, "crypto map inside_map in..."
.

Thanks again!

- Tom

Correct Answer
edadios Fri, 06/18/2010 - 21:19

All your NAT and static commands are wrong. I am not sure how you say things work.

All your "nat (outside)" should instead be "nat (inside)"

All your "static (outside,inside)" should have been "static (inside,outside)"

You will have copy them all to notepad. put "no" in front of each to remove them, then correct each one of them and paste the corrected lines.

example

no nat (outside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.255.0

For the statics, do the same

no static (outside,inside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255

static (inside,outside) tcp x.x.xxx.xxx https XXXX https netmask  255.255.255.255

To remove the crypto config you can do :

clear config crypto

clear config isakmp

Regards,

easyadstom Wed, 06/23/2010 - 09:41

Thank you very much for your help!

Once I realized that the "inside" and "outside" designations had somehow become transposed, I re-transferred the configuration from the old unit. It correctly transferred with the interfaces set correctly. I must have messed something up the first time around. The firewall is now working normally.


Thanks again!

- Tom

Actions

This Discussion