PIX Device Manager Unsupported Command

Answered Question
May 3rd, 2007

Installed PDM 3.0(4)using PIX 6.3(5) and now get an unsupported command from the PDM: "Access control list 100 is applied to interface inside for outbound nat 0 and VPN client group for split tunneling. PDM does not support multiple uses of a given Access Control List.

I'm not sure how to separate the ACL? Thanks for any help.

Dan

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 7 months ago

Ok, both of these statements are for the vpn. These have no effect on your nat for inside networks (to access the internet for example).

1. nat (inside) 0 access-list 100

2. vpngroup afco split-tunnel 100

So what the pdm doesn't like is you used the same access-list for both statements. The first statement is nat exemption. It exempts nat from anything in acl 100. In other words any inside network you want to be accessible to your vpn clients(192.168.10.0).

The second statement is for split tunneling. This also looks at acl 100 and will determine what is tunneled on the vpn. Any traffic not specified within the acl will not be tunneled and therefore vpn clients will be able to access the internet while connected.

So if you want all these inside network accessible from the vpn 10.74.52.0, 10.74.53.0, 192.168.1.0, 10.74.56.0, you simply need to create a new access-list with these networks and assign it to either nat (inside) 0 or split-tunnel. I chose to change the nat 0, here is what it should look like. Now the nat 0 and the split tunnel have their own acl and PDM should be happy!

---Split Tunel---

access-list 100 permit ip 10.74.56.0 255.255.252.0 192.168.10.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 100 permit ip 10.74.53.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 100 permit ip 10.74.52.0 255.255.255.0 192.168.10.0 255.255.255.0

vpngroup afco split-tunnel 100

---Nat Exemption---

no nat (inside) 0 access-list 100

access-list nat_0 permit ip 10.74.56.0 255.255.252.0 192.168.10.0 255.255.255.0

access-list nat_0 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nat_0 permit ip 10.74.53.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nat_0 permit ip 10.74.52.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list nat_0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Thu, 05/03/2007 - 10:04

Create another acl for either the nat 0 or for the split tunnel. You now probably have something like

access-list split_tunnel permit ...

nat (inside) 0 access-list split_tunnel

vpngroup split-tunnel split_tunnel

change to...

access-list split_tunnel permit ...

access-list nat_0 permit ...

nat (inside) 0 access-list nat_0

vpngroup split-tunnel split_tunnel

Post your config if you would like and we'll get you straightened out.

dlitteer Thu, 05/03/2007 - 13:12

Thanks. I'm a little confused over the access list. It combines both our local LAN addresses and VPN and I'm not really sure how to split them up.

Example:

access-list 100 permit ip 10.74.56.0 255.255.255.252.0 192.168.10.0 255.255.255.0

I have 4 different subnets for the NAT, but only one for VPN.

Config is attached.

Correct Answer
acomiskey Thu, 05/03/2007 - 13:45

Ok, both of these statements are for the vpn. These have no effect on your nat for inside networks (to access the internet for example).

1. nat (inside) 0 access-list 100

2. vpngroup afco split-tunnel 100

So what the pdm doesn't like is you used the same access-list for both statements. The first statement is nat exemption. It exempts nat from anything in acl 100. In other words any inside network you want to be accessible to your vpn clients(192.168.10.0).

The second statement is for split tunneling. This also looks at acl 100 and will determine what is tunneled on the vpn. Any traffic not specified within the acl will not be tunneled and therefore vpn clients will be able to access the internet while connected.

So if you want all these inside network accessible from the vpn 10.74.52.0, 10.74.53.0, 192.168.1.0, 10.74.56.0, you simply need to create a new access-list with these networks and assign it to either nat (inside) 0 or split-tunnel. I chose to change the nat 0, here is what it should look like. Now the nat 0 and the split tunnel have their own acl and PDM should be happy!

---Split Tunel---

access-list 100 permit ip 10.74.56.0 255.255.252.0 192.168.10.0 255.255.255.0

access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 100 permit ip 10.74.53.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list 100 permit ip 10.74.52.0 255.255.255.0 192.168.10.0 255.255.255.0

vpngroup afco split-tunnel 100

---Nat Exemption---

no nat (inside) 0 access-list 100

access-list nat_0 permit ip 10.74.56.0 255.255.252.0 192.168.10.0 255.255.255.0

access-list nat_0 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nat_0 permit ip 10.74.53.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list nat_0 permit ip 10.74.52.0 255.255.255.0 192.168.10.0 255.255.255.0

nat (inside) 0 access-list nat_0

Actions

This Discussion