Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Unsupported command found

I am new to the pix 515e. I am trying to use the PDM software but everytime I login I get an error about unsupported command statement. I am not sure how to fix the statement and not messing up teh config. Would anyone please let me know what statement should be remove or teh fix to this problem?

3 REPLIES

Re: Unsupported command found

Hi,

This is quite common when certain ACL commands exists in your config and does not supported/recognised by PDM. Check the ACL again, especially ACL tied to nat 0.

Rgds,

AK

Re: Unsupported command found

it does not like you using the same "no NAT" acl on two interfaces.

duplicate the acl under another name and apply that to nat 0 on one interface instead.

Gold

Re: Unsupported command found

PDM will do this if you use one access-list in two separate locations

(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255).

I'm assuming you have something like the following in your config:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

crypto map 10 mymap match address nonat

PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

access-list 100 permit ip 10.x.x.x 192.168.x.x

crypto map 10 mymap match address 100

This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.

141
Views
0
Helpful
3
Replies
CreatePlease to create content