VPN on ASA - No Matching Crypto Map Entry

Hello,

I am attempting to set up VPN on a Cisco Pix 515e with "Cisco PIX Security Appliance Software Version 7.2(2)".

When I attempt to connect via the Cisco VPN Client I get the following error message in the Real-Time Log Viewer and the VPN connection is dumped:

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy

10.1.1.6/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

I am kind of new to this and I have been spinning my wheels on this for a couple of days without success. Any help on this would be greatly appreciated.

Here is my config:

: Saved : PIX Version 7.2(2) ! hostname Pix domain-name [DomainName].com enable password [removed] encrypted names name 10.1.1.7 Athena.[DomainName].com description name 10.1.1.2 Hades.[DomainName].com description name 10.1.1.20 cam01.[DomainName].com description name 10.1.1.21 cam02.[DomainName].com description name 10.1.1.22 cam03.[DomainName].com description dns-guard ! interface Ethernet0 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet1 nameif inside security-level 100 ip address 10.1.1.69 255.255.0.0 ! passwd [removed] encrypted boot system flash:/ boot system flash:/pix722.bin ftp mode passive clock timezone cst -6 clock summer-time CDT recurring dns server-group DefaultDNS domain-name [DomainName].com object-group service HTTP_and_HTTPS tcp port-object eq www port-object eq https object-group service CameraPorts tcp port-object range 6969 6971 access-list inbound extended permit icmp any any echo-reply access-list inbound remark This ACL is used to allow HTTP traffic on port 80 to Athena.[DomainName].com access-list inbound extended permit tcp any any object-group HTTP_and_HTTPS access-list inbound remark This ACL is used to allow RDP traffic on port 3389 to Athena.[DomainName].com access-list inbound extended permit tcp any any eq 3389 access-list inbound extended permit tcp any any eq 4135 access-list inbound extended permit tcp any any object-group CameraPorts access-list inside_outbound_nat0_acl extended permit ip any 10.1.1.192

255.255.255.224 access-list outside_cryptomap_dyn_20 extended permit ip any 10.1.1.192 255.255.255.224 pager lines 24 logging enable logging console errors logging monitor errors logging buffered errors logging trap debugging logging asdm warnings logging mail emergencies logging from-address [removed]@[DomainName].com logging recipient-address [removed]@[DomainName].com level errors logging permit-hostdown mtu outside 1500 mtu inside 1500 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name Attack attack action drop ip audit interface outside Attack ip audit interface inside Attack icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm-522.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 10.1.1.0 255.255.255.0 static (inside,outside) tcp interface www Athena.[DomainName].com www netmask 255.255.255.255 static (inside,outside) tcp interface https Athena.[DomainName].com https netmask 255.255.255.255 static (inside,outside) tcp interface 3389 Athena.[DomainName].com 3389 netmask 255.255.255.255 tcp 2 0 static (inside,outside) tcp interface 6969 cam01.[DomainName].com 6969 netmask 255.255.255.255 static (inside,outside) tcp interface 6970 cam02.[DomainName].com 6970 netmask 255.255.255.255 static (inside,outside) tcp interface 6971 cam03.[DomainName].com 6971 netmask 255.255.255.255 access-group inbound in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server SG[Removed] protocol nt aaa-server SG[Removed] host Athena.[DomainName].com nt-auth-domain-controller 10.1.1.7 group-policy [DomainName] internal group-policy [DomainName] attributes banner value This computer network is the property of [DomainName] Inc.. Only authorized users may access this system. banner value banner value Unauthorized access will be investigated and penalties will be pursued in conformance with applicable laws and regulations. dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec default-domain value [DomainName].com username mharrison password [removed] encrypted aaa local authentication attempts max-fail 5 http server enable http 10.1.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp identity hostname crypto isakmp enable outside crypto isakmp policy 20 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 tunnel-group [DomainName] type ipsec-ra tunnel-group [DomainName] general-attributes default-group-policy [DomainName] dhcp-server Athena.[DomainName].com tunnel-group [DomainName] ipsec-attributes pre-shared-key * tunnel-group [DomainName] ppp-attributes authentication pap authentication ms-chap-v2 authentication eap-proxy telnet 10.1.0.0 255.255.0.0 inside telnet timeout 60 ssh 10.1.0.0 255.255.0.0 inside ssh timeout 5 ssh version 1 console timeout 0 dhcpd auto_config outside ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect http inspect netbios inspect pptp inspect rsh inspect rtsp inspect skinny inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global smtp-server 10.1.1.7 prompt hostname context Cryptochecksum:82ac5d8fd8c8c1d645306c964fe2e62a : end asdm image flash:/asdm-522.bin asdm location 0.0.0.0 255.255.255.255 outside asdm location 10.1.1.0 255.255.255.0 inside asdm location 10.1.0.0 255.255.0.0 inside asdm location 10.1.1.0 255.255.255.255 inside asdm location Athena.[DomainName].com 255.255.255.255 inside asdm history enable
Reply to
uberGeekk
Loading thread data ...

Is that the same transform map that the 501 is using? ESP 3DES SHA is usually preferrable to ESP 3DES MD5 (there are birthday attacks against MD5)

Your incoming IP in the log file is 10.1.1.6, but the ACLs for the crypto dynamic map match 10.1.1.192-10.1.1.223 . Thus the dynamic map does not match, and nothing else does either.

Reply to
Walter Roberson

Reply to
tsoojoo8888

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.