Crypto Map on Tunnel interface

hi guys, when i trying to apply crypto map on tunnel interface , debug is (
crypto map is configured on tunnel interface. Currently only GDOI crypto map is supported on tunnel interface )
why i can't apply simple crypto map on tunnel interface? anyone knows?
thanks

This was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M.

Similar Messages

One crypto map, different tunnel source addresses (secondary)

Hi,
I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:
crypto map to-peer_a 10 ipsec-isakmp
set peer 10.1.3.1
set local-address loopback1 <-- new command
match address 100
crypto map to-peer_a 20 ipsec-isakmp
set peer 10.1.3.2
set local-address loopback2 <-- new command
match address 101
Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.

Crypto Map on Loopback interface or Physical Interface

Dear All,
When we try to apply the crypto map on any physical interface or the loopback interface on WS-6506-E, it is showing the error. But the same i could apply on VLAN interface. Can anyone explain me what is the issue..?
6506(config)#interface loopback 3
6506(config-if)#crypto map XXXX
ERROR: Crypto Map configuration is not supported on the given interface
Any hardware limitation?

This was proven to break CEF in the past and is a bad design choice by default.
Newer release do not allow you to configure this.
If you're curious if it will work for you check releases prior to 15.x.
M.

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy on interface outside.

Hi,
I have read a problem where the VPN between an ISP and ourselves started dropping sessions. I have rebuilt the crypto map and tried to dig deeper into my config and some basic troubleshooting while I await the ISP to respond.
Any ideas?
Thanks Steve
https://supportforums.cisco.com/thread/255085
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution10
5 Jun 13 15:46:25 713904 IP = 209.183.xxx.xxx, Received encrypted packet with no matching SA, dropping
4 Jun 13 15:46:25 113019 Group = 209.183.xxx.xxx, Username = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Removing peer from correlator table failed, no match!
3 Jun 13 15:46:25 713902 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, QM FSM error (P2 struct &0xda90f540, mess id 0x76c09eb7)!
3 Jun 13 15:46:25 713061 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 172.16.0.0/255.255.240.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5 Jun 13 15:46:25 713119 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, PHASE 1 COMPLETED
6 Jun 13 15:46:25 113009 AAA retrieved default group policy (DfltGrpPolicy) for user = 209.183.xxx.xxx
6 Jun 13 15:46:25 713172 Group = 209.183.xxx.xxx, IP = 209.183.xxx.xxx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0

Multiple Crypto Maps on Single Outside Interface

Hi, I had the following crypto map configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
I'm trying now to set up an additional crypto map - a static configuration to establish a tunnel with Windows Azure services. The configuration they gave me is:
crypto map azure-crypto-map 10 match address azure-vpn-acl
crypto map azure-crypto-map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map azure-crypto-map 10 set transform-set azure-ipsec-proposal-set
crypto map azure-crypto-map interface outside
However, when I apply that configuration, my Cisco IPSec clients can no longer connect. I believe my problem is that last line:
crypto map azure-crypto-map interface outside
which blows away my original line:
crypto map outside_map interface outside
It seems I'm stuck with picking just one of the maps to apply to the outside interface. Is there a way to apply both of these maps to the outside interface to allow both IPSec tunnels to be created? We're running ASA version 8.4(7)3.

Hi,
You can use the same "crypto map"
Just add
crypto map outside_map 10 match address azure-vpn-acl
crypto map outside_map 10 set peer XXX.XXX.XXX.XXX (obfuscated)
crypto map outside_map 10 set transform-set azure-ipsec-proposal-set
Your dynamic VPN Clients will continue to work just fine as their "crypto map" statements are with the lowest priority/order in the "crypto map" configurations (65535) and the L2L VPN is higher (10)
And what I mean with the above is that when a L2L VPN connections is formed from the remote end it will naturally match the L2L VPN configurations you have with "crypto map" configurations using the number "10". Then when a VPN Client connects it will naturally not match the number "10" specific configurations and will move to the next entry and will match it (65535)
If you would happen to configure a new L2L VPN connection then you could give it the number "11" for example and everything would still be fine.
Hope this helps
- Jouni

Can I enter crypto map command on an ethernet interface(LAN)

Hi Friends,
I am establishing VPN tunnel through Internet. I have the public address configured on Ethernet interface of router connecting the LAN. Can I bind the crypto map command to this inside interface and establish the VPN connectivity from this interface. Please help me providing the knowledge.

your crypto map must be bound to outside interface.
but you can chose which ip to use
http://www.cisco.com/en/US/docs/ios/mwpdsn/command/reference/mwp_02.html#wp1014299
[Pls RATE if HELPS]

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

Hi!
I have already search for this but didn't get an exact answer I'm looking for so I try asking it again (if there is the same question).
I'm in process of migrating some VPN tunnels with from a Cisco router to an ASA, everything will keep the same but just the peering IP address. However, some of the tunnel was being torn down since it request for a proxy doesn't match the one configured on our side. And the remote peer said there is no such issue on the previous platform, but now they need to reset the tunnel from time to time.
Apr 18 2013 07:29:10 asa002 : %ASA-3-713061: Group = 192.168.1.226, IP = 192.168.1.226, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.226/255.255.255.255/0/0 local proxy 10.10.9.81/255.255.255.255/0/0 on interface outside
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, QM FSM error (P2 struct &0x745e9150, mess id 0x8d7ad777)!
Apr 18 2013 07:29:10 asa002 : %ASA-3-713902: Group = 192.168.1.226, IP = 192.168.1.226, Removing peer from correlator table failed, no match!
The remote peer said they did not change the proxy id on their side so it is possibly the old platform will just not setting up the SA without torn down the tunnel while the ASA on the new platform will torn down if there is any mismatch.
Anyway I have requested the remote side to remove those unmatched entried to avoid the tunnel being torn down, but if there any configuration that is related to this issue? i.e. Just bring up the SA with matched addresses and ignore others, instead of torn down the tunnel.
Thanks!!
//Cody

Are you trying to send traffic destined towards the internet from 172.16.0.0/20 via this ASA as well? why? are you inspecting those traffic before being sent out to the internet?
If so, this end also needs to be configured with "any" as well --> crypto ACL needs to mirror image.
access-list outside_1_cryptomap extended permit ip any 172.16.0.0 255.255.240.0
Then you also need NAT on the outside interface, otherwise, traffic from 172.16.0.0/20 is not PATed to a public IP, and won't be able to reach the internet:
nat (outside) 1 172.16.0.0 255.255.240.0

Which interface does "crypto map vpn" get assigned to?

I'm setting up a site to site vpn and have been reading some examples, but my 871 uses a vlan so it confuses me a bit. Do I assign the statement crypto map vpn to the vlan1 interface or fe4 which is my WAN side.

Sander
If we knew more about your environment we might be able to give better answers. In general the crypto map is assigned to the outbound layer 3 interface. But I can not tell from your description whether fe4 or VLAN 1 is the outbound layer 3 interface. Does fe4 have an IP configured on it? If so then perhaps it is the outbound layer 3 interface and gets the crypto map. Or perhaps VLAN 1 is the outbound layer 3 interface and gets the crypto map.
If this helps you figure it out that is good. Otherwise perhaps you can provide some clarification of the environment.
HTH
Rick
Sent from Cisco Technical Support iPhone App

"Crypto map" to inside/internal interface. Possible?

Hi, I have a two routers on a point to point VPN where the "Crypto Map" statement is assigned to the external interface as normal. This works fine but I need each router to present a different IP address to that of the external interface.
For example:
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 4.4.4.4 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 4.4.4.4
set transform-set 3des
match address vpn
interface FastEthernet0/0
ip address 4.4.4.4 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 10
full-duplex
no cdp enable
crypto map VPN
interface FastEthernet0/1
ip address 8.8.8.8 255.255.255.248
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
Instead of the "4.4.4.4" being presented to the other side of the VPN, I need the 8.8.8.8 to be presented. I've tried just changing the Crypto statements as below but it still presents the 4.4.4.4 probably due to the interface the Crypto map is applied
crypto isakmp policy 1
encr 3des
authentication pre-share
lifetime 3600
crypto isakmp key privatekey address 8.8.8.8 no-xauth
crypto ipsec transform-set 3des esp-3des esp-sha-hmac
crypto map VPN 1 ipsec-isakmp
set peer 8.8.8.8
set transform-set 3des
match address vpn
How can I make sure that 8.8.8.8 is what's presented at the other end?
Thanks
Andy

Hi Andy,
I would suggest the following command:
crypto map local-address
http://tools.cisco.com/squish/9c85B
To specify and name an identifying interface to be used by the crypto map for IPSec traffic, use the crypto map local-address command in global configuration mode. To remove this command from the configuration, use the no form of this command.
crypto map map-name local-address interface-id
no crypto map map-name local-address
Example:
interface loopback0
ip address 4.2.2.2 255.255.255.252
crypto map mymap local-address loopback0
interface S0
crypto map mymap
Of course you need to make sure the remote end can reach this additional IP address.
Let me know if you have any questions.
Please rate any post that you find useful.

PING is unavailable after CRYPTO MAP on interface

Hi guys,
I have problem with ping to public IP of my router (Cisco 2801) I checked all my ACLs but only when I remove crypto map from interface PING is going well.
interface FastEthernet0/0
description ---LAN---$FW_INSIDE$
ip address 192.168.28.31 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description ---WAN---$FW_OUTSIDE$$ES_LAN$
ip address 109.68.238.175 255.255.255.224
ip access-group 104 in
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed 10
crypto map MAIN
and crypto map MAIN
crypto map MAIN 1 ipsec-isakmp
description a1
set peer 180.94.84.177
set peer 180.94.84.181
set transform-set a1
match address a1
crypto map MAIN 2 ipsec-isakmp
description a2
set peer 67.159.45.250
set transform-set a2
match address a2
and ACLs for this MAIN crypto
ip access-list extended a1
remark CCP_ACL Category=4
permit ip host 192.168.28.31 host 10.150.82.43
permit ip host 192.168.28.30 host 10.150.82.43
permit ip host 192.168.28.31 host 10.150.82.73
permit ip host 192.168.28.30 host 10.150.82.73
permit icmp any any
ip access-list extended a2
remark CCP_ACL Category=20
permit ip host 192.168.28.31 host 67.159.51.2
permit ip host 192.168.28.30 host 67.159.51.2
permit ip host 192.168.28.31 host 67.159.51.14
permit ip host 192.168.28.30 host 67.159.51.14
permit ip host 192.168.28.31 host 67.159.51.10
permit ip host 192.168.28.30 host 67.159.51.10
permit icmp any any
ACL for inbound in WAN interface
access-list 104 remark CCP_ACL Category=17
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.177 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.177 host 109.68.238.175
access-list 104 permit ip host 67.159.51.10 host 192.168.28.30
access-list 104 permit ip host 67.159.51.10 host 192.168.28.31
access-list 104 permit ip host 67.159.51.14 host 192.168.28.30
access-list 104 permit ip host 67.159.51.14 host 192.168.28.31
access-list 104 permit ip host 67.159.51.2 host 192.168.28.30
access-list 104 permit ip host 67.159.51.2 host 192.168.28.31
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 180.94.84.181 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ahp host 180.94.84.181 host 109.68.238.175
access-list 104 permit ip host 10.150.82.73 host 192.168.28.30
access-list 104 permit ip host 10.150.82.73 host 192.168.28.31
access-list 104 permit ip host 10.150.82.43 host 192.168.28.30
access-list 104 permit ip host 10.150.82.43 host 192.168.28.31
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq non500-isakmp
access-list 104 permit udp host 67.159.45.250 host 109.68.238.175 eq isakmp
access-list 104 permit esp host 67.159.45.250 host 109.68.238.175
access-list 104 permit ahp host 67.159.45.250 host 109.68.238.175
access-list 104 permit icmp any any
access-list 104 permit esp any host 67.159.45.250
access-list 104 permit udp any host 67.159.45.250 eq non500-isakmp
access-list 104 permit udp any host 67.159.45.250 eq isakmp
access-list 104 permit ahp any host 67.159.45.250
Please show me where is problem in my configs, I try to change my config several time but problem still exist

Nik
As far as I know the technically correct answer to your question is Yes you can configure a crypto map on the inside interface. But it leads to a question of why would you want to do that? The function of the crypto map is to provide IPSec protection services to traffic passing through that interface. Why would you want IPSec on traffic going through your inside interface?
I am also puzzled by the partial config that you posted. Why do you have the internal "private" network and the Internet reachable network as primary and secondary on the same interface?
HTH
Rick

Policy-map on tunnel or physical interface?

Hi all,
I have a 3800 headend router which has a number of ipsec tunnels to remote office sites. Our current QoS design applies a policy-map to each tunnel interface to prioritise and shape outbound traffic.
My question is how does the physical egress interface queue and transmit traffic from tunnel interfaces with this design? For example, if a mixture of large data packets and voice packets from different tunnel interfaces hit the physical interface around the same time what will happen to the voice packets?
Furthermore, would it be a better to apply the policy-map to the physical interface instead of the tunnel interfaces? What advantages if any would this bring?
Many thanks.

If you're shaping each tunnel to the outbound physical bandwidth, yes it would be better to just have the policy, without any shaping, on the physical interface. Again, you'll will either need to depend on a copied ToS value in the outbound packet or use qos pre-classify. (A single physical policy would be much like your QUEUE_DATA if using qos pre-classify.)
e.g.
!assumes qos-preclassify
interface Ethernet0
service-policy output QUEUE_DATA
What I thought you might be doing, and you could also do, was shape each tunnel to the far side's ingress bandwidth. This would require a distinct policy, if the shaper values change, for every tunnel interface, or a policy on the physical interface that has a class per tunnel (matches against tunnel destination address).
e.g.
!assume local outbound interface not oversubscribed
policy-map NESTED_QOS_512K
class class-default
shape average 512000
service-policy QUEUE_DATA
policy-map NESTED_QOS_768K
class class-default
shape average 768000
service-policy QUEUE_DATA
policy-map NESTED_QOS_1500K
class class-default
shape average 1500000
service-policy QUEUE_DATA
interface Tunnel1
service-policy output NESTED_QOS_786K
interface Tunnel2
service-policy output NESTED_QOS_512K
interface Tunnel3
service-policy output NESTED_QOS_1500K
interface Tunnel4
service-policy output NESTED_QOS_512K
e.g.
!assume local outbound interface not oversubscribed
class-map match-all Tunnel1
match group (ACL that matches tunnel1 destination address)
class-map match-all Tunnel2
match group (ACL that matches tunnel2 destination address)
policy-map outbound_tunnels
class Tunnel1
shape average 768000
service-policy output QUEUE_DATA
class Tunnel2
shape average 512000
service-policy output QUEUE_DATA
Interface Ethernet 0
service-policy outbound outbound_tunnels
If all the far side bandwidths exceed your local outbound physical bandwidth, then you should have both tunnel policies, that shape each tunnel, and a physical interface policy.
e.g.
!assume local outbound interface is oversubscribed
policy-map NESTED_QOS_512K
class class-default
shape average 512000
service-policy QUEUE_DATA
policy-map NESTED_QOS_768K
class class-default
shape average 768000
service-policy QUEUE_DATA
policy-map NESTED_QOS_1500K
class class-default
shape average 1500000
service-policy QUEUE_DATA
interface Tunnel1
service-policy output NESTED_QOS_786K
interface Tunnel2
service-policy output NESTED_QOS_512K
interface Tunnel3
service-policy output NESTED_QOS_1500K
interface Tunnel4
service-policy output NESTED_QOS_512K
!assumes qos-preclassify
interface Ethernet0
service-policy output QUEUE_DATA

[ERR]crypto map WARNING: This crypto map is incomplete

i have PIX 501 ver6.3(5) when i setup VPN i get this error message
WARNING:This crypto map is incomplete to remedy the situation add a peer and a valid access-list to this crypto map.
although it seems fine in sh conf command
but tunnel is not started
when i review log i found
sa_request,ISAKMP Phase 1 exchange started

i could successfully establish VPN with another FW cisco 501 6.3
but still can't fix my dilemma which i connect to Huawei Eudemon 500â
sh isakmp
PIX Version 6.3(5)â
interface ethernet0 10full
interface ethernet1 100full
nameif ethernet0 outside security0â
nameif ethernet1 inside security100 â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP1â
access-list inside_outbound_nat0_acl permit ip host internal IP host name remote internal IP2â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP1â
access-list outside_cryptomap_100 permit ip host internal IP host remote internal IP2 â
global (outside) 1 interfaceâ
nat (inside) 0 access-list inside_outbound_nat0_acl
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac â
crypto ipsec security-association lifetime seconds 3600â
crypto map outside_map 100 ipsec-isakmp
crypto map outside_map 100 match address outside_cryptomap_100â
crypto map outside_map 100 set peer remote peer
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 3600 kilobytes 1843200â
crypto map outside_map interface outside
isakmp enable outside
â â
isakmp key ******** address remote peer netmask 255.255.255.255 no-xauth no-config-mode â
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash shaâ
isakmp policy 20 group 2â
isakmp policy 20 lifetime 86400â
sh crypto map
Crypto Map: "outside_map" interfaces: { outside }â
Crypto Map "outside_map" 100 ipsec-isakmp
Peer = remote peer
access-list outside_cryptomap_100; 2 elementsâ
access-list outside_cryptomap_100 line 1 permit ip host 10.102.0.11 host remote internal IP1 ââ(hitcnt=14) â
access-list outside_cryptomap_100 line 2 permit ip host 10.102.0.11 host remote internal IP2 ââ(hitcnt=6) â
Current peer: remote peer
Security association lifetime: 1843200 kilobytes/3600 secondsâ
PFS (Y/N): N
Transform sets={ ESP-3DES-SHA, }â
Crypto Map: "set" interfaces: { }â

Converting crypto map to unnumbered VTI

I'm trying to convert a crypto map VPN to a ip unnumbered VTI. The crypto map has been working for months. The VTI... no so much. Here are the applicable config entries.
### original config
crypto isakmp policy 30
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 10.1.1.10
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
crypto map CRYPTO 50 ipsec-isakmp
set peer 10.1.1.10
set transform-set 3DES-SHA
set pfs group2
match address VPN1
ip access-list extended VPN1
permit ip host 172.16.16.10 host 10.5.5.1
permit ip host 172.16.16.10 host 10.5.5.4
I only removed the crypto map and added the following.
### New Config
crypto ipsec profile V1
set security-association lifetime seconds 28800
set transform-set 3DES-SHA
set pfs group2
interface Tunnel0
ip unnumbered FastEthernet0/0
ip nat outside
ip virtual-reassembly
tunnel source 172.16.8.1
tunnel destination 10.1.1.10
tunnel mode ipsec ipv4
tunnel protection ipsec profile V1
I keep getting this ISAKMP error now.
ISAKMP:(0:54:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer 10.1.1.10)
Any help would be greatly appreciated. Also... I have no idea what is running on the other end (it's a partner network), but I suspect it's a crypto map on IOS.
Thank you!

Access-lists, FW (ZBF, CBAC) and all other features work on SVTI same way they would work on a physical or other logical interfaces (with very few exceptions).

Lose telnet capability after crypto map

Hello,
I have 2 DSL routers setup with a VPN tunnel between them. The VPN works fine. Before setting up the tunnel, I had telnet/SSH access. However, when I apply the crypto map to the Dialer interface, I lose the ability to telnet/SSH to the router. If I remove the VPN setup, I regain the ability to telnet/SSH.
Any thoughts? I was wondering if the fact the Dialer interface is a logical interface is what is causing the problems?
Thanks.
Tony

Here is the config. ACL 120 has permit ip any any but it is referenced by NAT not the Crypto. Crypto references ACL 130. I have seen it posted not to put any any in the Crypto ACLs, perhaps this applies to the NAT as well. I will try changing that one. Anyway, here is the config. Pretty straight-forward.
sh run
Building configuration...
Current configuration : 2927 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Ashtabula
boot-start-marker
boot-end-marker
enable secret 5
no aaa new-model
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool Ash-dhcp
network 192.168.1.0 255.255.255.0
dns-server 166.x.x.11 166.102.165.13
default-router 192.168.1.1
lease 7
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
ip domain name Ashtabula.local
ip name-server 166.102.165.11
ip name-server 166.102.165.13
vpdn enable
username
username
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx no-xauth
crypto ipsec transform-set ToMead esp-3des esp-sha-hmac
crypto map Meadville 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ToMead
match address 130
archive
log config
hidekeys
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 10
bridge-group 10 spanning-disabled
interface Dialer0
ip address yy.yy.yy.yy 255.255.255.252
ip access-group 100 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 0 xxxxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map Meadville
interface Dialer1
no ip address
no cdp enable
interface BVI10
description Bridge to Internal Network
no ip address
ip virtual-reassembly
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan1
ip http server
no ip http secure-server
ip nat inside source list 120 interface Dialer0 overload
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip any any
access-list 130 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxx
login local
scheduler max-task-time 5000
end

Crypto map entry is incomplete

Hi
This is my config below. The error i am recieving is crypto map entry is incomplete. Can someone please take a look and let me know. Thank you
ASA(config)# crypto map outside_map 1 match address outside_1_cryptomap
WARNING: The crypto map entry is incomplete!
ASA(config)# show run
: Saved
ASA Version 8.4(4)1
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network net-local
subnet 10.10.10.20 255.255.255.0
object network net-remote
subnet 10.10.3.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.20 255.255.255.0 10.
10.3.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (any,any) source static net-local net-local destination static net-remote ne
t-remote
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 96.145.68.82
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.10.22-10.10.10.231 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 81.141.29.69 type ipsec-l2l
tunnel-group 81.141.29.69 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c2b7cdae5eb0961d822f634f2b36d3dc
: end
ASA(config)#

Hi,
You lack a "transform-set" configuration from the "crypto map" line.
For example
Create the IKEv1 Transform set
crypto ipsec ikev1 transform-set AES esp-aes esp-sha-hmac
and
Use it in the VPN configuration
crypto map outside_map 1 set ikev1 transform-set AES
The values ofcourse depend on the your own preference
Hope this helps
- Jouni

Crypto Map on Tunnel interface

Similar Messages

Maybe you are looking for