Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


PIX501: Cisco VPN to Netscreen 5XP Error multiple uses of a given ACL

Posted on 2004-10-28
Medium Priority
Last Modified: 2013-11-16
                    !!---Pix501- - -!!- - - -
                                                      - - - ! - - -
                                                    ! Internet ! -  - - - -
                                                      - - - - - - -            !
                                                                   !! Netscreen 5XP !!
                                                                                  !                                                                                                                               192.168.101.x

Trying to insert following codes from Cisco link for VPN with Netscreen device and getting error on this command:

crypto map mymap 10 match address nonat

"PDM has encountered a firewall config cmd that PDM doest support. Configuration parsing has been stopped. PDM access is now limited to the Home and monitoring views during current session. PDM does not support multiple uses of a given Access Control List."


!--- Access control list (ACL) for interesting traffic to be encrypted and
!--- to bypass the Network Address Translation (NAT) process
access-list nonat permit ip

!--- IP addresses on the interfaces
ip address outside
ip address inside

!--- Bypass of NAT for IPSec interesting inside network traffic
nat (inside) 0 access-list nonat
nat (inside) 1 0 0

!--- Default gateway to the Internet
route outside

!--- This command avoids applied ACLs or conduits on encrypted packets
sysopt connection permit-ipsec

!--- Configuration of IPSec Phase 2
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address nonat                         **// Problem Line//**

crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside

!--- Configuration of IPSec Phase 1
isakmp enable outside

!--- Internet Key Exchange (IKE) pre-shared key
!--- that the peers will use to authenticate
isakmp key testme address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Any help how to setup this VPN. Thanks,

Question by:sfaruqi
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Author Comment

ID: 12434775
This is the current config where I tried inserting codes from url link in PDM multiple command send option.

Building configuration...
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewalltest
domain-name ciscopixtest.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
object-group service RmDskTp tcp
  description Remote Desk Top
  port-object range 3389 3389
object-group service Port5451http tcp
  description Http Port 5451
  port-object range 5451 5451
access-list outside_access_in permit tcp any interface outside eq 5452
access-list outside_access_in permit tcp any interface outside eq 5455
access-list outside_access_in permit tcp any interface outside eq 5451
access-list nonat permit ip
pager lines 24
mtu outside 1500
mtu inside 1500

!--- Verizon DSL (Static)
ip address outside

!--- Verizon DSL (Dymanic)
NO ip address outside pppoe setroute

!--- Company Server
NO ip address outside dhcp setroute

ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 130200
nat (inside) 1 0 0
static (inside,outside) tcp interface 5452 3389 netmask 0 0
static (inside,outside) tcp 5451 www netmask 0 0
static (inside,outside) tcp 5455 www netmask 0 0
access-group outside_access_in in interface outside
timeout xlate 1:00:00
timeout conn 0:33:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http outside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
crypto map mymap 10 ipsec-isakmp
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet outside
telnet timeout 5
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xyz
vpdn group pppoe_group ppp authentication pap
vpdn username xyz password ********* store-local
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
LVL 79

Accepted Solution

lrmoore earned 1600 total points
ID: 12435703
>access-list nonat permit ip

Create a 2nd access-list that is just the same that can be used by the crypto map
   access-list crypto permit ip

   crypto map mymap 10 match address crypto

Author Comment

ID: 12437662
Thanks Irmoore. I entered as you said and the PIX took perfectly without Error!

!--- Verizon DSL (Static)
ip address outside

For my VPN which is static, I understand that

route outside 1
ip address outside

What should be the above two "route outside" & "ip address outside", if I have to setup for pppoe or dhcp?

!--- Verizon DSL (Dymanic)
ip address outside pppoe setroute
!--- Company Server
ip address outside dhcp setroute

Actually I am testing my firewall at office where I have one Static IP to Netscreen and a dynamic IP to Pix501 but eventually I have to move it to remote location at president Home static IP.

Thanks again for your help.


Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question