Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Unable to add ipsec-isakmp to a crypto map on PIX515

Hi All,

I am having problems setting up a VPN between our PIX and a customers Nortel firewall.

When I am trying to setup the crypto map I specify;

cnst-corp-fw-01(config)# crypto map outside_map 60 ipsec-isakmp

ERROR: % Incomplete command

cnst-corp-fw-01(config)# crypto map outside_map 60 ipsec-isakmp ?

configure mode commands/options:

dynamic Entry is a dynamic map

The problem is that this is a site to site VPN so I don't understand why I must need the dynamic map.

I did google this issue and had a look in these forums prior to posting but didn't have any luck finding an answer.

I'm not really sure what I will need to provide to help resolve this as I am still learning the PIX commands and don't really have anyone to guide me, so please let me know if you need further info.

Thanks,

Mark

2 REPLIES
New Member

Re: Unable to add ipsec-isakmp to a crypto map on PIX515

This is what I have been trying to add;

name 203.2.2.2 toll_melb_peer

name 10.66.66.1 toll_pythia_db

name 10.64.47.58 toll_P6dov-pr7_tx

name 10.64.47.66 toll_P6dov-tst7_tx

object-group network toll_hosts

desc Toll hosts

network-object host toll_pythia_db

network-object host toll_P6dov-pr7_tx

network-object host toll_P6dov-tst7_tx

object-group network toll_ecn_nat_hosts

desc Toll IPs to NAT NS LAN to

network-object 172.25.232.0 255.255.255.248

object-group service toll_tcp_ports tcp

description Allowed TCP ports to toll

port-object eq 22

port-object eq 161

port-object eq 162

access-list inside_nat0_outbound extended permit tcp object-group toll_ecn_nat_hosts object-group toll_hosts

access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts eq ssh object-group toll_hosts

access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts eq 1521 host toll_pythia_db

access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts host toll_P6dov-pr7_tx object-group toll_tcp_ports

access-list outside_cryptomap_60 extended permit tcp object-group toll_ecn_nat_hosts host toll_P6dov-tst7_tx object-group toll_tcp_ports

access-list outside_cryptomap_60 extended permit tcp NS_LAN 255.255.252.0 object-group toll_hosts

access-list toll-ecn-nat extended permit permit tcp NS_LAN 255.255.252.0 object-group toll_hosts

global (outside) 8 172.25.232.0 netmask 255.255.255.248

nat (inside) 8 access-list toll-ecn-nat

crypto map outside_map 60 set peer toll_melb_peer

crypto map outside_map 60 match address outside_cryptomap_60

crypto map outside_map 60 set pfs group2

crypto map outside_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 60 set security-association lifetime seconds 86400

crypto isakmp key pskgoeshere address 203.2.2.2 netmask 255.255.255.255

There is already a few VPNs setup, and an existing isakmp policy this will be able to use.

New Member

Re: Unable to add ipsec-isakmp to a crypto map on PIX515

It looks like you're using OS 7 or higher for the PIX.

Try:

crypto map outside_map 60 set peer {peer}

crypto map outside_map 60 set transform-set {transform}

crypto map outside_map 60 match address {access list}

217
Views
0
Helpful
2
Replies