VPN on ASA - No Matching Crypto Map Entry

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View

I am attempting to set up VPN on a Cisco Pix 515e with "Cisco PIX
Security Appliance Software Version 7.2(2)".

When I attempt to connect via the Cisco VPN Client I get the following
error message in the Real-Time Log Viewer and the VPN connection is

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy local proxy on
interface outside

I am kind of new to this and I have been spinning my wheels on this
for a couple of days without success. Any help on this would be
greatly appreciated.

Here is my config:

: Saved
PIX Version 7.2(2)
hostname Pix
domain-name [DomainName].com
enable password [removed] encrypted
name Athena.[DomainName].com description
name Hades.[DomainName].com description
name cam01.[DomainName].com description
name cam02.[DomainName].com description
name cam03.[DomainName].com description
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Ethernet1
 nameif inside
 security-level 100
 ip address
passwd [removed] encrypted
boot system flash:/
boot system flash:/pix722.bin
ftp mode passive
clock timezone cst -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name [DomainName].com
object-group service HTTP_and_HTTPS tcp
 port-object eq www
 port-object eq https
object-group service CameraPorts tcp
 port-object range 6969 6971
access-list inbound extended permit icmp any any echo-reply
access-list inbound remark This ACL is used to allow HTTP traffic on
port 80 to Athena.[DomainName].com
access-list inbound extended permit tcp any any object-group
access-list inbound remark This ACL is used to allow RDP traffic on
port 3389 to Athena.[DomainName].com
access-list inbound extended permit tcp any any eq 3389
access-list inbound extended permit tcp any any eq 4135
access-list inbound extended permit tcp any any object-group
access-list inside_outbound_nat0_acl extended permit ip any
access-list outside_cryptomap_dyn_20 extended permit ip any
pager lines 24
logging enable
logging console errors
logging monitor errors
logging buffered errors
logging trap debugging
logging asdm warnings
logging mail emergencies
logging from-address [removed]@[DomainName].com
logging recipient-address [removed]@[DomainName].com level errors
logging permit-hostdown
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Attack attack action drop
ip audit interface outside Attack
ip audit interface inside Attack
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1
static (inside,outside) tcp interface www Athena.[DomainName].com www
static (inside,outside) tcp interface https Athena.[DomainName].com
https netmask
static (inside,outside) tcp interface 3389 Athena.[DomainName].com
3389 netmask tcp 2 0
static (inside,outside) tcp interface 6969 cam01.[DomainName].com 6969
static (inside,outside) tcp interface 6970 cam02.[DomainName].com 6970
static (inside,outside) tcp interface 6971 cam03.[DomainName].com 6971
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server SG[Removed] protocol nt
aaa-server SG[Removed] host Athena.[DomainName].com
group-policy [DomainName] internal
group-policy [DomainName] attributes
 banner value This computer network is the property of [DomainName]
Inc.. Only authorized users may access this system.
 banner value
 banner value Unauthorized access will be investigated and penalties
will be pursued in conformance with applicable laws and regulations.
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value [DomainName].com
username mharrison password [removed] encrypted
aaa local authentication attempts max-fail 5
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group [DomainName] type ipsec-ra
tunnel-group [DomainName] general-attributes
 default-group-policy [DomainName]
 dhcp-server Athena.[DomainName].com
tunnel-group [DomainName] ipsec-attributes
 pre-shared-key *
tunnel-group [DomainName] ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
telnet inside
telnet timeout 60
ssh inside
ssh timeout 5
ssh version 1
console timeout 0
dhcpd auto_config outside
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
service-policy global_policy global
prompt hostname context
: end
asdm image flash:/asdm-522.bin
asdm location outside
asdm location inside
asdm location inside
asdm location inside
asdm location Athena.[DomainName].com inside
asdm history enable

Re: VPN on ASA - No Matching Crypto Map Entry
Quoted text here. Click to load it

Is that the same transform map that the 501 is using?
ESP 3DES SHA is usually preferrable to ESP 3DES MD5 (there are
birthday attacks against MD5)

Quoted text here. Click to load it

Your incoming IP in the log file is, but the ACLs for
the crypto dynamic map match . Thus
the dynamic map does not match, and nothing else does either.

Re: VPN on ASA - No Matching Crypto Map Entry
On Thursday, October 25, 2007 at 4:31:50 AM UTC+8, uber...@gmail.com wrote:
Quoted text here. Click to load it

Site Timeline