Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

pix 515 warning

I get this warning when setting up site to site vpn using pdm 3.0 on pix 515 ver 6.3(4)

[OK] isakmp key @############## address 66.45.80.156 netmask 255.255.255.255 no-xauth no-config-mode

[OK] pdm location 10.128.174.128 255.255.255.224 outside

[OK] pdm location 10.128.174.192 255.255.255.224 outside

[OK] access-list 100 line 3 permit ip 192.168.1.0 255.255.255.0 10.128.174.128 255.255.255.224

[OK] access-list 100 line 4 permit ip 192.168.1.0 255.255.255.0 10.128.174.192 255.255.255.224

[OK] nat (inside) 0 access-list 100

[OK] access-list outside_cryptomap_31 permit ip 192.168.1.0 255.255.255.0 10.128.174.128 255.255.255.224

[OK] access-list outside_cryptomap_31 permit ip 192.168.1.0 255.255.255.0 10.128.174.192 255.255.255.224

[ERR]crypto map newmap 31 set peer 66.45.80.156

WARNING: This crypto map is incomplete. To remedy the situation add a peer and a valid access-list to this crypto map.

[OK] crypto map newmap 31 match address outside_cryptomap_31

[OK] crypto map newmap 31 set transform-set basis

[OK] crypto map newmap 31 set security-association lifetime seconds 28800 kilobytes 4608000

[OK] crypto map newmap interface outside

[OK] sysopt connection permit-ipsec

everything looks ok when i go through the steps.

2 REPLIES
Cisco Employee

Re: pix 515 warning

Hi,

With every peer we need to add a crypto access list which tells the pix what all traffic needs to be send through that tunnel for that peer.

This warning comes if you define a peer and match list is not defined.

I can see that you have defined the match address after defining the peer so that is why you got that warning.

crypto map newmap 31 match address outside_cryptomap_31

You dont need to worry,it looks fine.check the config and you should see both the set peer and match address in the crypto config.

hope this helps.

Tanveer

New Member

Re: pix 515 warning

So I dont need to go back and add another peer and access list ?

Then why does my tunel not come up

Result of firewall command: "sh crypto isakmp sa"

Total : 0

Embryonic : 0

dst src state pending created

99
Views
0
Helpful
2
Replies
CreatePlease login to create content