Hello,
I am attempting to set up VPN on a Cisco Pix 515e with "Cisco PIX
Security Appliance Software Version 7.2(2)".
When I attempt to connect via the Cisco VPN Client I get the following
error message in the Real-Time Log Viewer and the VPN connection is
dumped:
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.1.1.6/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on
interface outside
I am kind of new to this and I have been spinning my wheels on this
for a couple of days without success. Any help on this would be
greatly appreciated.
Here is my config:
: Saved
:
PIX Version 7.2(2)
!
hostname Pix
domain-name [DomainName].com
enable password [removed] encrypted
names
name 10.1.1.7 Athena.[DomainName].com description
name 10.1.1.2 Hades.[DomainName].com description
name 10.1.1.20 cam01.[DomainName].com description
name 10.1.1.21 cam02.[DomainName].com description
name 10.1.1.22 cam03.[DomainName].com description
dns-guard
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.69 255.255.0.0
!
passwd [removed] encrypted
boot system flash:/
boot system flash:/pix722.bin
ftp mode passive
clock timezone cst -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name [DomainName].com
object-group service HTTP_and_HTTPS tcp
port-object eq www
port-object eq https
object-group service CameraPorts tcp
port-object range 6969 6971
access-list inbound extended permit icmp any any echo-reply
access-list inbound remark This ACL is used to allow HTTP traffic on
port 80 to Athena.[DomainName].com
access-list inbound extended permit tcp any any object-group
HTTP_and_HTTPS
access-list inbound remark This ACL is used to allow RDP traffic on
port 3389 to Athena.[DomainName].com
access-list inbound extended permit tcp any any eq 3389
access-list inbound extended permit tcp any any eq 4135
access-list inbound extended permit tcp any any object-group
CameraPorts
access-list inside_outbound_nat0_acl extended permit ip any 10.1.1.192 255.255.255.224
access-list outside_cryptomap_dyn_20 extended permit ip any 10.1.1.192 255.255.255.224
pager lines 24
logging enable
logging console errors
logging monitor errors
logging buffered errors
logging trap debugging
logging asdm warnings
logging mail emergencies
logging from-address [removed]@[DomainName].com
logging recipient-address [removed]@[DomainName].com level errors
logging permit-hostdown
mtu outside 1500
mtu inside 1500
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name Attack attack action drop
ip audit interface outside Attack
ip audit interface inside Attack
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 10.1.1.0 255.255.255.0
static (inside,outside) tcp interface www Athena.[DomainName].com www
netmask 255.255.255.255
static (inside,outside) tcp interface https Athena.[DomainName].com
https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 Athena.[DomainName].com
3389 netmask 255.255.255.255 tcp 2 0
static (inside,outside) tcp interface 6969 cam01.[DomainName].com 6969 netmask 255.255.255.255
static (inside,outside) tcp interface 6970 cam02.[DomainName].com 6970 netmask 255.255.255.255
static (inside,outside) tcp interface 6971 cam03.[DomainName].com 6971 netmask 255.255.255.255
access-group inbound in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server SG[Removed] protocol nt
aaa-server SG[Removed] host Athena.[DomainName].com
nt-auth-domain-controller 10.1.1.7
group-policy [DomainName] internal
group-policy [DomainName] attributes
banner value This computer network is the property of [DomainName]
Inc.. Only authorized users may access this system.
banner value
banner value Unauthorized access will be investigated and penalties
will be pursued in conformance with applicable laws and regulations.
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value [DomainName].com
username mharrison password [removed] encrypted
aaa local authentication attempts max-fail 5
http server enable
http 10.1.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address
outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group [DomainName] type ipsec-ra
tunnel-group [DomainName] general-attributes
default-group-policy [DomainName]
dhcp-server Athena.[DomainName].com
tunnel-group [DomainName] ipsec-attributes
pre-shared-key *
tunnel-group [DomainName] ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 60
ssh 10.1.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 1
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect netbios
inspect pptp
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.1.1.7
prompt hostname context
Cryptochecksum:82ac5d8fd8c8c1d645306c964fe2e62a
: end
asdm image flash:/asdm-522.bin
asdm location 0.0.0.0 255.255.255.255 outside
asdm location 10.1.1.0 255.255.255.0 inside
asdm location 10.1.0.0 255.255.0.0 inside
asdm location 10.1.1.0 255.255.255.255 inside
asdm location Athena.[DomainName].com 255.255.255.255 inside
asdm history enable
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 11:56:14 |
Calls: | 6,645 |
Calls today: | 5 |
Files: | 12,190 |
Messages: | 5,326,712 |