06-30-2006 10:57 AM - edited 03-09-2019 03:27 PM
I am new to the pix 515e. I am trying to use the PDM software but everytime I login I get an error about unsupported command statement. I am not sure how to fix the statement and not messing up teh config. Would anyone please let me know what statement should be remove or teh fix to this problem?
06-30-2006 11:13 AM
Hi,
This is quite common when certain ACL commands exists in your config and does not supported/recognised by PDM. Check the ACL again, especially ACL tied to nat 0.
Rgds,
AK
07-03-2006 03:11 AM
it does not like you using the same "no NAT" acl on two interfaces.
duplicate the acl under another name and apply that to nat 0 on one interface instead.
07-03-2006 04:23 AM
PDM will do this if you use one access-list in two separate locations
(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255).
I'm assuming you have something like the following in your config:
access-list nonat permit ip 10.x.x.x
nat (inside) 0 access-list nonat
crypto map 10 mymap match address nonat
PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:
access-list nonat permit ip 10.x.x.x
nat (inside) 0 access-list nonat
access-list 100 permit ip 10.x.x.x
crypto map 10 mymap match address 100
This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: