Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Gold

PIX 6.3 and PDM 3.0

Has anyone come across the following when using PDM 3.0 on PIX 6.3,

If you have a crypto ACL applied on the PIX config and you try to run PDM, the PDM parser stops and warns that the applied ACL is not supported. So the PDM only launches in Monitor mode? If I remove the crypto ACL then the PDM launches normally. Is there a workaround for this?

The ACL that I have applied is as follows:

access-list nonat permit ip 10.x.x.x <mask> 192.168.x.x <mask>

Could someone from Cisco revert back to this question please.

Many Thanks - Jay

1 REPLY
Cisco Employee

Re: PIX 6.3 and PDM 3.0

PDM will do this if you use one access-list in two separate locations (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255). I'm assuming you have something like the following in your config:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

crypto map 10 mymap match address nonat

PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

access-list 100 permit ip 10.x.x.x 192.168.x.x

crypto map 10 mymap match address 100

This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.

105
Views
0
Helpful
1
Replies
CreatePlease to create content