04-13-2006 12:45 PM
Hello All,
When starting PDM and going to configuration I receive an error that says
"PDM has encountered a firewall configuration command statement that PDM does not support. Configuration parsing has been stopped. PDM access is now limited to the Home and Monitoring views during the current session. To regain access to the rest of PDM use the command line interface window to fix the unsupported command statement and then refresh PDM with the modified firewall configuration
Access control list TX_To_HQ is applied to interface inside for outbound nat 0 and crypto map ToHQ for IPSec traffic selection. PDM does not support multiple uses of a given Access Control List"
That is the whole message. I use the access list as follows
access-list TX_to_HQ permite ip 172.16.12.0 255.255.255.0 172.31.1.0 255.255.255.0
and the other line this is referenced at is
crypto map ToHQ 20 match address TX_to_HQ
Also just a brief explanation of what I am trying to accomplish is just a vpn tunnel from Texas to NJ. In Texas I have a PIX501 going to a Sonicwall Pro 4060 in NJ.
Please let me know if you have any suggestions as to how to get around this error message. Thanks.
Keith
04-14-2006 12:09 AM
Keith,
Easiest thing to do to fix this is copy your TX_T0_HQ ACL so that you have a second ACL identical to your first and either use it in your crypto map or your outgoing acl. Example.
access-list TX_to_HQ permit ip 172.16.12.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list TX_to_HQ_VPN permit ip 172.16.12.0 255.255.255.0 172.31.1.0 255.255.255.0
crypto map ToHQ 20 match address TX_to_HQ_VPN
Patrick
04-15-2006 03:29 PM
Patrick,
Thanks for the recommedation. I dont seem to have any further luck though. below is the config. If you can please point out any thing that seems incorrect.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ** encrypted
passwd * encrypted
hostname TX
domain-name Comp.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.31.1.0 NJ
access-list Tex_to_NJ_VPN permit ip 172.31.12.0 255.255.255.0 NJ 255.255.255.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 4.9.x.x.x.255.248
ip address inside 172.31.12.253 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 7.11.x.x.x.255.0 outside
pdm location 5.2.x.x.x.255.224 outside
pdm location NJ 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list Tex_to_NJ_VPN
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 x.x.x.x.9.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 7.1.x.x.x.255.0 outside
http 5.2.x.x.x.255.224 outside
http 172.31.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto map ToNJ20 ipsec-isakmp
crypto map ToNJ20 match address Tex_to_NJ_VPN
crypto map ToNJ20 set peer 65.x.x.34
crypto map ToNJ20 set transform-set strongsha
crypto map ToNJ interface outside
crypto map ToEdison 20 ipsec-isakmp
! Incomplete
isakmp enable outside
isakmp key ******** address 5.x.x.4 netmask 255.255.255.224
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet 172.31.12.0 255.255.255.0 inside
telnet NJ 255.255.255.0 inside
telnet timeout 5
ssh 6.1.x.x.x.255.0 outside
ssh 5.1.0.0 255.255.255.224 outside
ssh timeout 5
console timeout 15
dhcpd address 172.31.12.150-172.31.12.200 inside
dhcpd dns 20.171.3.65 172.31.1.22
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
Thank you for you help.
Keith
04-17-2006 09:04 AM
Hello Keith,
is this a working configuration ? Because in this config, you are applying the same access list to the NAT(0) and the crypto map as well, something your PDM is complaining about.
Are you trying to configure and apply the TX_to_HQ access list in addition to your current config ?
Regards,
GNT
04-18-2006 01:29 PM
Hello GNT,
Yes, I am reposting the latest config below.
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password *** encrypted
passwd *** encrypted
hostname TX
domain-name company.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 172.31.1.0 NJ
access-list Tex_to_NJ_VPN permit ip 172.31.12.0 255.255.255.0 NJ 255.255.255.0
pager lines 24
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 1.1.1.2 255.255.255.248
ip address inside 172.31.12.253 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
pdm location 3.3.3.3 255.255.255.0 outside
pdm location 4.4.4.0 255.255.255.224 outside
pdm location NJ 255.255.255.0 outside
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list Tex_to_NJ_VPN
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 1.1.1.1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 4.4.4.4 255.255.255.0 outside
http 3.3.3.3 255.255.255.224 outside
http 172.31.12.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto map ToNJ 20 ipsec-isakmp
crypto map ToNJ 20 match address Tex_to_NJ_VPN
crypto map ToNJ 20 set peer 65.172.0.34
crypto map ToNJ 20 set transform-set strongsha
crypto map ToNJ interface outside
crypto map ToEdison 20 ipsec-isakmp
! Incomplete
isakmp enable outside
isakmp key ******** address 3.3.3.3 netmask 255.255.255.224
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
telnet 172.31.12.0 255.255.255.0 inside
telnet NJ 255.255.255.0 inside
telnet timeout 5
ssh 4.4.4.4 255.255.255.0 outside
ssh 3.3.3.3 255.255.255.224 outside
ssh timeout 5
console timeout 15
dhcpd address 172.31.12.150-172.31.12.200 inside
dhcpd dns 4.2.2.1 172.31.1.22
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
terminal width 80
I am trying to just establish a site to site vpn. As far as I know the access list is needed in order to match the traffic.
I believe if I can get rid of the
crypto map ToEdison 20 ipsec-isakmp
line, then PDM wont be complaining anymore.
If you happen to see what is wrong with the config please point it out. Thank you so much.
Keith
04-20-2006 04:57 AM
Patrick,
I finally got it. I wasn't sure what you meant at first but I see how the conflict was occurring. Thats what learning is all about. Thanks for your help.
Keith.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: