need help with vpon tunnel on 5505

Young GrasshopperYoung Grasshopper Member Posts: 51 ■■□□□□□□□□
hi,


i have a guide here that shows me how to build a vpn tunnel from scratch using the cli. well the command here shows me how to create a crypto map which is:


crypto map example_map 10 ipsec-isakmp


this shows as an incomplete command in the asa. what am i missing here? here is what my asa is showing me:



pix-batfish(config)# crypto map example 10 ipsec-isakmp
ERROR: % Incomplete command
pix-batfish(config)# crypto map example 10 ipsec-isakmp ?

configure mode commands/options:
dynamic Entry is a dynamic map
pix-batfish(config)# crypto map example 10 ipsec-isakmp dynamic ?

configure mode commands/options:
WORD dynamic map name
pix-batfish(config)# crypto map example 10 ipsec-isakmp dynamic



ive looked at other configs and have not seen the dynamic thrown in there


thanks

Comments

  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    You might want to read something a bit more detailed, "The Complete Cisco VPN Configuration Guide" is an excellent resource even when you are just starting out.
    Anyway that's just one of many configuration commands needed to create a crypto map let alone the full IPSec VPN. Dynamic is used for Remote Access VPNs ( it can be used for site-site if you just want one side to initiate the tunnel but essentially its for situations where the client IP is dynamic and therefor not known for the config. on this side) and it is applied to an existing full Crypto map.
    While the principals are the same there are some differences in VPN commands (and many others) on the ASA vs. a PIX, and definitely on 7/8.x (Higher end PIX and ASA) vs. 6.x (Legacy PIX). The book I mentioned covers VPNs on 6.x and 7.x aswell as VPN Concentrators and Routers.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Young GrasshopperYoung Grasshopper Member Posts: 51 ■■□□□□□□□□
    hey thanks for the advice. however in my situation im not using remote access vpn(just site to site), so i dont know why i need to enter a value in there for dynamic. would you happen to know?


    thanks
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    My 5505 let me enter the command with no problem and shows the <cr> option along with the Dynamic option.
    :mike: Cisco Certifications -- Collect the Entire Set!
  • Young GrasshopperYoung Grasshopper Member Posts: 51 ■■□□□□□□□□
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Im guessing you already have a crypto map on that box Mike? I know you used to have to specify ipsec-isakmp on 6.x but it's the default now on 7.x + isn't it, you only need to specify the key mode if you want manual (Too pre-caffeine for me to go double check so I may well be wrong:} )
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • Young GrasshopperYoung Grasshopper Member Posts: 51 ■■□□□□□□□□
    i just wrote to the author he replied back telling me that command isnt needed in 7.x. i skipped it and continued building the tunnel and everything works great now.
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Ahriakin wrote:
    I know you used to have to specify ipsec-isakmp on 6.x but it's the default now on 7.x + isn't it
    Yep, it wasn't in the 7.2 docs. I think my ASA is 7.1 or 7.2 so that's what I checked -- but it still let me do it :D

    Might have dropped out in 8.x -- but Grasshopper didn't say what version that I saw.
    the author he replied back telling me that command isnt needed in 7.x.
    Which Guide? So you're running a 7.x? Which Version?
    :mike: Cisco Certifications -- Collect the Entire Set!
Sign In or Register to comment.