Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX 515E: Configuration Errors at Boot Up

Hello!

We've  purchased a used Cisco PIX 515E firewall that we are using to replace a  previous firewall of the same model. I have successfully copied the  configuration from the old unit to the new via TFTP. Everything appears  to be working normally, except that on boot-up, there are several errors  displayed. There are about a dozen of them, but all fall into one of  two categories. Either they reference keyword "outside" as "probably  missing" or they say "crypto map" has "incomplete entries". Samples of  each type are posted below.

Can someone point me in the right  direction as to what these errors mean and how to correct them?

Thanks!

-  Tom

EXAMPLE 1:

*** Output from config line 493, "nat (inside) 1 192.168.4..."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

EXAMPLE 2:

*** Output from config line 498, "nat (inside) 1 192.168.9..."
........WARNING: crypto map has incomplete entries
  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: PIX 515E: Configuration Errors at Boot Up

All your NAT and static commands are wrong. I am not sure how you say things work.

All your "nat (outside)" should instead be "nat (inside)"

All your "static (outside,inside)" should have been "static (inside,outside)"

You will have copy them all to notepad. put "no" in front of each to remove them, then correct each one of them and paste the corrected lines.

example

no nat (outside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.255.0

For the statics, do the same

no static (outside,inside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255

static (inside,outside) tcp x.x.xxx.xxx https XXXX https netmask  255.255.255.255

To remove the crypto config you can do :

clear config crypto

clear config isakmp

Regards,

4 REPLIES
Silver

Re: PIX 515E: Configuration Errors at Boot Up

*** Output from config line 493, "nat (inside) 1 192.168.4..."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.

Maybe your inside interface is configured with security level 0

You can configure it with security level 100, but then, if you say it is working for now, you have to understand the impact to traffic flow when you change the security level of an interface.

Depending on what version of  code you are running :

for version 6.x , you will have to do something like

"nameif e1 inside sec 100"

documentation here :

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1026054

for 7.x and later

interface e1

nameif inside

sec 100

documentation here:

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/intparam.html#wp1051819

*** Output from config line 498, "nat (inside) 1 192.168.9..."
........WARNING: crypto map has incomplete entries

This suggest you have incomplete ipsec vpn configuration.
If you do not use ipsec vpn, you can look for the command that binds
the crypto map to the outide interface, and issue a no in front of that command.

example :
no crypto map nameofmap interface outside


If you include the complete configuration and all the errors, we can possible clean it up more.

Regards,
New Member

Re: PIX 515E: Configuration Errors at Boot Up

Thanks! I checked and the "inside" interface is indeed set to a security of 100. Here's the output of "show nameif" at the "configure terminal" prompt:

Ethernet0                outside                    0
Ethernet1                inside                   100
Ethernet2                intf2                      4

Regarding the VPN, a VPN has been used on our network in the past, but is not presently used, so disabling that command would be fine.

I'm happy to post the complete configuration, though it is rather massive in size. Not sure what the proper protocol is here for posting large amounts of text, so I'm attaching it as a text file.

Lastly, here is the complete set of error messages:

...........WARNING: Enabling the logging ftp-bufferwrap feature could cause a
         depletion of all available memory under high syslog
         rates. Please adjust your buffered logging level
         appropriately
*** Output from config line 390, "logging ftp-bufferwrap"
..WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 490, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 491, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 492, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 493, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 494, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 495, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 496, "nat (outside) 1 192.168...."
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 497, "nat (outside) 1 192.168...."
.WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
*** Output from config line 498, "nat (outside) 1 192.168...."
.......WARNING: crypto map has incomplete entries
*** Output from config line 684, "crypto map outside_map i..."
WARNING: crypto map has incomplete entries
*** Output from config line 686, "crypto map inside_map in..."
.

Thanks again!

- Tom

Silver

Re: PIX 515E: Configuration Errors at Boot Up

All your NAT and static commands are wrong. I am not sure how you say things work.

All your "nat (outside)" should instead be "nat (inside)"

All your "static (outside,inside)" should have been "static (inside,outside)"

You will have copy them all to notepad. put "no" in front of each to remove them, then correct each one of them and paste the corrected lines.

example

no nat (outside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.0.0 255.255.255.0

For the statics, do the same

no static (outside,inside) tcp x.x.xxx.xxx https XXXX https netmask 255.255.255.255

static (inside,outside) tcp x.x.xxx.xxx https XXXX https netmask  255.255.255.255

To remove the crypto config you can do :

clear config crypto

clear config isakmp

Regards,

New Member

Re: PIX 515E: Configuration Errors at Boot Up

Thank you very much for your help!

Once I realized that the "inside" and "outside" designations had somehow become transposed, I re-transferred the configuration from the old unit. It correctly transferred with the interfaces set correctly. I must have messed something up the first time around. The firewall is now working normally.


Thanks again!

- Tom

1590
Views
0
Helpful
4
Replies