05-03-2007 08:05 AM - edited 03-11-2019 03:08 AM
Installed PDM 3.0(4)using PIX 6.3(5) and now get an unsupported command from the PDM: "Access control list 100 is applied to interface inside for outbound nat 0 and VPN client group for split tunneling. PDM does not support multiple uses of a given Access Control List.
I'm not sure how to separate the ACL? Thanks for any help.
Dan
Solved! Go to Solution.
05-03-2007 01:45 PM
Ok, both of these statements are for the vpn. These have no effect on your nat for inside networks (to access the internet for example).
1. nat (inside) 0 access-list 100
2. vpngroup afco split-tunnel 100
So what the pdm doesn't like is you used the same access-list for both statements. The first statement is nat exemption. It exempts nat from anything in acl 100. In other words any inside network you want to be accessible to your vpn clients(192.168.10.0).
The second statement is for split tunneling. This also looks at acl 100 and will determine what is tunneled on the vpn. Any traffic not specified within the acl will not be tunneled and therefore vpn clients will be able to access the internet while connected.
So if you want all these inside network accessible from the vpn 10.74.52.0, 10.74.53.0, 192.168.1.0, 10.74.56.0, you simply need to create a new access-list with these networks and assign it to either nat (inside) 0 or split-tunnel. I chose to change the nat 0, here is what it should look like. Now the nat 0 and the split tunnel have their own acl and PDM should be happy!
---Split Tunel---
access-list 100 permit ip 10.74.56.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 10.74.53.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 10.74.52.0 255.255.255.0 192.168.10.0 255.255.255.0
vpngroup afco split-tunnel 100
---Nat Exemption---
no nat (inside) 0 access-list 100
access-list nat_0 permit ip 10.74.56.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list nat_0 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nat_0 permit ip 10.74.53.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nat_0 permit ip 10.74.52.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nat_0
05-03-2007 10:04 AM
Create another acl for either the nat 0 or for the split tunnel. You now probably have something like
access-list split_tunnel permit ...
nat (inside) 0 access-list split_tunnel
vpngroup
change to...
access-list split_tunnel permit ...
access-list nat_0 permit ...
nat (inside) 0 access-list nat_0
vpngroup
Post your config if you would like and we'll get you straightened out.
05-03-2007 01:12 PM
Thanks. I'm a little confused over the access list. It combines both our local LAN addresses and VPN and I'm not really sure how to split them up.
Example:
access-list 100 permit ip 10.74.56.0 255.255.255.252.0 192.168.10.0 255.255.255.0
I have 4 different subnets for the NAT, but only one for VPN.
Config is attached.
05-03-2007 01:45 PM
Ok, both of these statements are for the vpn. These have no effect on your nat for inside networks (to access the internet for example).
1. nat (inside) 0 access-list 100
2. vpngroup afco split-tunnel 100
So what the pdm doesn't like is you used the same access-list for both statements. The first statement is nat exemption. It exempts nat from anything in acl 100. In other words any inside network you want to be accessible to your vpn clients(192.168.10.0).
The second statement is for split tunneling. This also looks at acl 100 and will determine what is tunneled on the vpn. Any traffic not specified within the acl will not be tunneled and therefore vpn clients will be able to access the internet while connected.
So if you want all these inside network accessible from the vpn 10.74.52.0, 10.74.53.0, 192.168.1.0, 10.74.56.0, you simply need to create a new access-list with these networks and assign it to either nat (inside) 0 or split-tunnel. I chose to change the nat 0, here is what it should look like. Now the nat 0 and the split tunnel have their own acl and PDM should be happy!
---Split Tunel---
access-list 100 permit ip 10.74.56.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 10.74.53.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 100 permit ip 10.74.52.0 255.255.255.0 192.168.10.0 255.255.255.0
vpngroup afco split-tunnel 100
---Nat Exemption---
no nat (inside) 0 access-list 100
access-list nat_0 permit ip 10.74.56.0 255.255.252.0 192.168.10.0 255.255.255.0
access-list nat_0 permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nat_0 permit ip 10.74.53.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nat_0 permit ip 10.74.52.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nat_0
05-07-2007 10:14 AM
Thank you so much for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide