VPN on ASA - No Matching Crypto Map Entry

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello,

I am attempting to set up VPN on a Cisco Pix 515e with "Cisco PIX
Security Appliance Software Version 7.2(2)".

When I attempt to connect via the Cisco VPN Client I get the following
error message in the Real-Time Log Viewer and the VPN connection is
dumped:

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy
10.1.1.6/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on
interface outside

I am kind of new to this and I have been spinning my wheels on this
for a couple of days without success. Any help on this would be
greatly appreciated.

Here is my config:

: Saved
:
PIX Version 7.2(2)
!
hostname Pix
domain-name [DomainName].com
enable password [removed] encrypted
names
name 10.1.1.7 Athena.[DomainName].com description
name 10.1.1.2 Hades.[DomainName].com description
name 10.1.1.20 cam01.[DomainName].com description
name 10.1.1.21 cam02.[DomainName].com description
name 10.1.1.22 cam03.[DomainName].com description
dns-guard
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 10.1.1.69 255.255.0.0
!
passwd [removed] encrypted
boot system flash:/
boot system flash:/pix722.bin
ftp mode passive
clock timezone cst -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name [DomainName].com
object-group service HTTP_and_HTTPS tcp
 port-object eq www
 port-object eq https
object-group service CameraPorts tcp
 port-object range 6969 6971
access-list inbound extended permit icmp any any echo-reply
access-list inbound remark This ACL is used to allow HTTP traffic on
port 80 to Athena.[DomainName].com
access-list inbound extended permit tcp any any object-group
HTTP_and_HTTPS
access-list inbound remark This ACL is used to allow RDP traffic on
port 3389 to Athena.[DomainName].com
access-list inbound extended permit tcp any any eq 3389
access-list inbound extended permit tcp any any eq 4135
access-list inbound extended permit tcp any any object-group
CameraPorts
access-list inside_outbound_nat0_acl extended permit ip any 10.1.1.192
255.255.255.224
access-list outside_cryptomap_dyn_20 extended permit ip any 10.1.1.192
255.255.255.224
pager lines 24
logging enable
logging console errors
logging monitor errors
logging buffered errors
logging trap debugging
logging asdm warnings
logging mail emergencies
logging from-address [removed]@[DomainName].com
logging recipient-address [removed]@[DomainName].com level errors
logging permit-hostdown
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Attack attack action drop
ip audit interface outside Attack
ip audit interface inside Attack
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.1.1.0 255.255.255.0
static (inside,outside) tcp interface www Athena.[DomainName].com www
netmask 255.255.255.255
static (inside,outside) tcp interface https Athena.[DomainName].com
https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Athena.[DomainName].com
3389 netmask 255.255.255.255 tcp 2 0
static (inside,outside) tcp interface 6969 cam01.[DomainName].com 6969
netmask 255.255.255.255
static (inside,outside) tcp interface 6970 cam02.[DomainName].com 6970
netmask 255.255.255.255
static (inside,outside) tcp interface 6971 cam03.[DomainName].com 6971
netmask 255.255.255.255
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server SG[Removed] protocol nt
aaa-server SG[Removed] host Athena.[DomainName].com
 nt-auth-domain-controller 10.1.1.7
group-policy [DomainName] internal
group-policy [DomainName] attributes
 banner value This computer network is the property of [DomainName]
Inc.. Only authorized users may access this system.
 banner value
 banner value Unauthorized access will be investigated and penalties
will be pursued in conformance with applicable laws and regulations.
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value [DomainName].com
username mharrison password [removed] encrypted
aaa local authentication attempts max-fail 5
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group [DomainName] type ipsec-ra
tunnel-group [DomainName] general-attributes
 default-group-policy [DomainName]
 dhcp-server Athena.[DomainName].com
tunnel-group [DomainName] ipsec-attributes
 pre-shared-key *
tunnel-group [DomainName] ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 60
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 1
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect http
  inspect netbios
  inspect pptp
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
smtp-server 10.1.1.7
prompt hostname context
Cryptochecksum:82ac5d8fd8c8c1d645306c964fe2e62a
: end
asdm image flash:/asdm-522.bin
asdm location 0.0.0.0 255.255.255.255 outside
asdm location 10.1.1.0 255.255.255.0 inside
asdm location 10.1.0.0 255.255.0.0 inside
asdm location 10.1.1.0 255.255.255.255 inside
asdm location Athena.[DomainName].com 255.255.255.255 inside
asdm history enable


Re: VPN on ASA - No Matching Crypto Map Entry
Quoted text here. Click to load it







Is that the same transform map that the 501 is using?
ESP 3DES SHA is usually preferrable to ESP 3DES MD5 (there are
birthday attacks against MD5)

Quoted text here. Click to load it

Your incoming IP in the log file is 10.1.1.6, but the ACLs for
the crypto dynamic map match 10.1.1.192-10.1.1.223 . Thus
the dynamic map does not match, and nothing else does either.

Re: VPN on ASA - No Matching Crypto Map Entry
On Thursday, October 25, 2007 at 4:31:50 AM UTC+8, uber...@gmail.com wrote:
Quoted text here. Click to load it


Site Timeline