1. Forum
  2. Usenet
  3. COMP.DCOM.SYS.CISCO

  • VPN on ASA - No Matching Crypto Map Entry

    From tsoojoo8888@gmail.com@21:1/5 to uber...@gmail.com on Tue Mar 27 01:34:00 2018
    On Thursday, October 25, 2007 at 4:31:50 AM UTC+8, uber...@gmail.com wrote:
    Hello,

    I am attempting to set up VPN on a Cisco Pix 515e with "Cisco PIX
    Security Appliance Software Version 7.2(2)".

    When I attempt to connect via the Cisco VPN Client I get the following
    error message in the Real-Time Log Viewer and the VPN connection is
    dumped:

    Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.1.1.6/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on
    interface outside

    I am kind of new to this and I have been spinning my wheels on this
    for a couple of days without success. Any help on this would be
    greatly appreciated.

    Here is my config:

    : Saved
    :
    PIX Version 7.2(2)
    !
    hostname Pix
    domain-name [DomainName].com
    enable password [removed] encrypted
    names
    name 10.1.1.7 Athena.[DomainName].com description
    name 10.1.1.2 Hades.[DomainName].com description
    name 10.1.1.20 cam01.[DomainName].com description
    name 10.1.1.21 cam02.[DomainName].com description
    name 10.1.1.22 cam03.[DomainName].com description
    dns-guard
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.1.1.69 255.255.0.0
    !
    passwd [removed] encrypted
    boot system flash:/
    boot system flash:/pix722.bin
    ftp mode passive
    clock timezone cst -6
    clock summer-time CDT recurring
    dns server-group DefaultDNS
    domain-name [DomainName].com
    object-group service HTTP_and_HTTPS tcp
    port-object eq www
    port-object eq https
    object-group service CameraPorts tcp
    port-object range 6969 6971
    access-list inbound extended permit icmp any any echo-reply
    access-list inbound remark This ACL is used to allow HTTP traffic on
    port 80 to Athena.[DomainName].com
    access-list inbound extended permit tcp any any object-group
    HTTP_and_HTTPS
    access-list inbound remark This ACL is used to allow RDP traffic on
    port 3389 to Athena.[DomainName].com
    access-list inbound extended permit tcp any any eq 3389
    access-list inbound extended permit tcp any any eq 4135
    access-list inbound extended permit tcp any any object-group
    CameraPorts
    access-list inside_outbound_nat0_acl extended permit ip any 10.1.1.192 255.255.255.224
    access-list outside_cryptomap_dyn_20 extended permit ip any 10.1.1.192 255.255.255.224
    pager lines 24
    logging enable
    logging console errors
    logging monitor errors
    logging buffered errors
    logging trap debugging
    logging asdm warnings
    logging mail emergencies
    logging from-address [removed]@[DomainName].com
    logging recipient-address [removed]@[DomainName].com level errors
    logging permit-hostdown
    mtu outside 1500
    mtu inside 1500
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip audit name Attack attack action drop
    ip audit interface outside Attack
    ip audit interface inside Attack
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-522.bin
    asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 10.1.1.0 255.255.255.0
    static (inside,outside) tcp interface www Athena.[DomainName].com www
    netmask 255.255.255.255
    static (inside,outside) tcp interface https Athena.[DomainName].com
    https netmask 255.255.255.255
    static (inside,outside) tcp interface 3389 Athena.[DomainName].com
    3389 netmask 255.255.255.255 tcp 2 0
    static (inside,outside) tcp interface 6969 cam01.[DomainName].com 6969 netmask 255.255.255.255
    static (inside,outside) tcp interface 6970 cam02.[DomainName].com 6970 netmask 255.255.255.255
    static (inside,outside) tcp interface 6971 cam03.[DomainName].com 6971 netmask 255.255.255.255
    access-group inbound in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server SG[Removed] protocol nt
    aaa-server SG[Removed] host Athena.[DomainName].com
    nt-auth-domain-controller 10.1.1.7
    group-policy [DomainName] internal
    group-policy [DomainName] attributes
    banner value This computer network is the property of [DomainName]
    Inc.. Only authorized users may access this system.
    banner value
    banner value Unauthorized access will be investigated and penalties
    will be pursued in conformance with applicable laws and regulations.
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout none
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec l2tp-ipsec
    default-domain value [DomainName].com
    username mharrison password [removed] encrypted
    aaa local authentication attempts max-fail 5
    http server enable
    http 10.1.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address
    outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp identity hostname
    crypto isakmp enable outside
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 20
    crypto isakmp ipsec-over-tcp port 10000
    tunnel-group [DomainName] type ipsec-ra
    tunnel-group [DomainName] general-attributes
    default-group-policy [DomainName]
    dhcp-server Athena.[DomainName].com
    tunnel-group [DomainName] ipsec-attributes
    pre-shared-key *
    tunnel-group [DomainName] ppp-attributes
    authentication pap
    authentication ms-chap-v2
    authentication eap-proxy
    telnet 10.1.0.0 255.255.0.0 inside
    telnet timeout 60
    ssh 10.1.0.0 255.255.0.0 inside
    ssh timeout 5
    ssh version 1
    console timeout 0
    dhcpd auto_config outside
    !
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect netbios
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    smtp-server 10.1.1.7
    prompt hostname context
    Cryptochecksum:82ac5d8fd8c8c1d645306c964fe2e62a
    : end
    asdm image flash:/asdm-522.bin
    asdm location 0.0.0.0 255.255.255.255 outside
    asdm location 10.1.1.0 255.255.255.0 inside
    asdm location 10.1.0.0 255.255.0.0 inside
    asdm location 10.1.1.0 255.255.255.255 inside
    asdm location Athena.[DomainName].com 255.255.255.255 inside
    asdm history enable

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)