PDM Error on Access List and Crypto

Unanswered Question
Apr 13th, 2006
User Badges:

Hello All,


When starting PDM and going to configuration I receive an error that says

"PDM has encountered a firewall configuration command statement that PDM does not support. Configuration parsing has been stopped. PDM access is now limited to the Home and Monitoring views during the current session. To regain access to the rest of PDM use the command line interface window to fix the unsupported command statement and then refresh PDM with the modified firewall configuration


Access control list TX_To_HQ is applied to interface inside for outbound nat 0 and crypto map ToHQ for IPSec traffic selection. PDM does not support multiple uses of a given Access Control List"


That is the whole message. I use the access list as follows


access-list TX_to_HQ permite ip 172.16.12.0 255.255.255.0 172.31.1.0 255.255.255.0


and the other line this is referenced at is



crypto map ToHQ 20 match address TX_to_HQ


Also just a brief explanation of what I am trying to accomplish is just a vpn tunnel from Texas to NJ. In Texas I have a PIX501 going to a Sonicwall Pro 4060 in NJ.


Please let me know if you have any suggestions as to how to get around this error message. Thanks.


Keith

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.8 (3 ratings)
Loading.
Patrick Laidlaw Fri, 04/14/2006 - 00:09
User Badges:
  • Gold, 750 points or more

Keith,


Easiest thing to do to fix this is copy your TX_T0_HQ ACL so that you have a second ACL identical to your first and either use it in your crypto map or your outgoing acl. Example.


access-list TX_to_HQ permit ip 172.16.12.0 255.255.255.0 172.31.1.0 255.255.255.0

access-list TX_to_HQ_VPN permit ip 172.16.12.0 255.255.255.0 172.31.1.0 255.255.255.0


crypto map ToHQ 20 match address TX_to_HQ_VPN



Patrick


KeithAttreides_2 Sat, 04/15/2006 - 15:29
User Badges:

Patrick,


Thanks for the recommedation. I dont seem to have any further luck though. below is the config. If you can please point out any thing that seems incorrect.



PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ** encrypted

passwd * encrypted

hostname TX

domain-name Comp.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.31.1.0 NJ

access-list Tex_to_NJ_VPN permit ip 172.31.12.0 255.255.255.0 NJ 255.255.255.0

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 4.9.x.x.x.255.248

ip address inside 172.31.12.253 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm location 7.11.x.x.x.255.0 outside

pdm location 5.2.x.x.x.255.224 outside

pdm location NJ 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list Tex_to_NJ_VPN

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 x.x.x.x.9.9.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 7.1.x.x.x.255.0 outside

http 5.2.x.x.x.255.224 outside

http 172.31.12.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set strongsha esp-3des esp-sha-hmac

crypto map ToNJ20 ipsec-isakmp

crypto map ToNJ20 match address Tex_to_NJ_VPN

crypto map ToNJ20 set peer 65.x.x.34

crypto map ToNJ20 set transform-set strongsha

crypto map ToNJ interface outside

crypto map ToEdison 20 ipsec-isakmp

! Incomplete

isakmp enable outside

isakmp key ******** address 5.x.x.4 netmask 255.255.255.224

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

telnet 172.31.12.0 255.255.255.0 inside

telnet NJ 255.255.255.0 inside

telnet timeout 5

ssh 6.1.x.x.x.255.0 outside

ssh 5.1.0.0 255.255.255.224 outside

ssh timeout 5

console timeout 15

dhcpd address 172.31.12.150-172.31.12.200 inside

dhcpd dns 20.171.3.65 172.31.1.22

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80



Thank you for you help.


Keith

globalnettech Mon, 04/17/2006 - 09:04
User Badges:
  • Silver, 250 points or more

Hello Keith,


is this a working configuration ? Because in this config, you are applying the same access list to the NAT(0) and the crypto map as well, something your PDM is complaining about.

Are you trying to configure and apply the TX_to_HQ access list in addition to your current config ?


Regards,


GNT

KeithAttreides_2 Tue, 04/18/2006 - 13:29
User Badges:

Hello GNT,


Yes, I am reposting the latest config below.


PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password *** encrypted

passwd *** encrypted

hostname TX

domain-name company.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 172.31.1.0 NJ

access-list Tex_to_NJ_VPN permit ip 172.31.12.0 255.255.255.0 NJ 255.255.255.0

pager lines 24

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside 1.1.1.2 255.255.255.248

ip address inside 172.31.12.253 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

pdm location 3.3.3.3 255.255.255.0 outside

pdm location 4.4.4.0 255.255.255.224 outside

pdm location NJ 255.255.255.0 outside

pdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list Tex_to_NJ_VPN

nat (inside) 10 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 1.1.1.1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 4.4.4.4 255.255.255.0 outside

http 3.3.3.3 255.255.255.224 outside

http 172.31.12.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set strongsha esp-3des esp-sha-hmac

crypto map ToNJ 20 ipsec-isakmp

crypto map ToNJ 20 match address Tex_to_NJ_VPN

crypto map ToNJ 20 set peer 65.172.0.34

crypto map ToNJ 20 set transform-set strongsha

crypto map ToNJ interface outside

crypto map ToEdison 20 ipsec-isakmp

! Incomplete

isakmp enable outside

isakmp key ******** address 3.3.3.3 netmask 255.255.255.224

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

telnet 172.31.12.0 255.255.255.0 inside

telnet NJ 255.255.255.0 inside

telnet timeout 5

ssh 4.4.4.4 255.255.255.0 outside

ssh 3.3.3.3 255.255.255.224 outside

ssh timeout 5

console timeout 15

dhcpd address 172.31.12.150-172.31.12.200 inside

dhcpd dns 4.2.2.1 172.31.1.22

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd enable inside

terminal width 80


I am trying to just establish a site to site vpn. As far as I know the access list is needed in order to match the traffic.

I believe if I can get rid of the


crypto map ToEdison 20 ipsec-isakmp


line, then PDM wont be complaining anymore.


If you happen to see what is wrong with the config please point it out. Thank you so much.


Keith

KeithAttreides_2 Thu, 04/20/2006 - 04:57
User Badges:

Patrick,


I finally got it. I wasn't sure what you meant at first but I see how the conflict was occurring. Thats what learning is all about. Thanks for your help.


Keith.

Actions

This Discussion