PIX501: Cisco VPN to Netscreen 5XP Error multiple uses of a given ACL

                    !!---Pix501- - -!!- - - -
                                                      - - - ! - - -
                                                    ! Internet ! -  - - - -
                                                      - - - - - - -            !
                                                                   !! Netscreen 5XP !!
                                                                                  !                                                                                                                               192.168.101.x

Trying to insert following codes from Cisco link for VPN with Netscreen device and getting error on this command:

crypto map mymap 10 match address nonat

"PDM has encountered a firewall config cmd that PDM doest support. Configuration parsing has been stopped. PDM access is now limited to the Home and monitoring views during current session. PDM does not support multiple uses of a given Access Control List."


!--- Access control list (ACL) for interesting traffic to be encrypted and
!--- to bypass the Network Address Translation (NAT) process
access-list nonat permit ip

!--- IP addresses on the interfaces
ip address outside
ip address inside

!--- Bypass of NAT for IPSec interesting inside network traffic
nat (inside) 0 access-list nonat
nat (inside) 1 0 0

!--- Default gateway to the Internet
route outside

!--- This command avoids applied ACLs or conduits on encrypted packets
sysopt connection permit-ipsec

!--- Configuration of IPSec Phase 2
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address nonat                         **// Problem Line//**

crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside

!--- Configuration of IPSec Phase 1
isakmp enable outside

!--- Internet Key Exchange (IKE) pre-shared key
!--- that the peers will use to authenticate
isakmp key testme address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Any help how to setup this VPN. Thanks,

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sfaruqiAuthor Commented:
This is the current config where I tried inserting codes from url link in PDM multiple command send option.

Building configuration...
: Saved
PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pixfirewalltest
domain-name ciscopixtest.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
object-group service RmDskTp tcp
  description Remote Desk Top
  port-object range 3389 3389
object-group service Port5451http tcp
  description Http Port 5451
  port-object range 5451 5451
access-list outside_access_in permit tcp any interface outside eq 5452
access-list outside_access_in permit tcp any interface outside eq 5455
access-list outside_access_in permit tcp any interface outside eq 5451
access-list nonat permit ip
pager lines 24
mtu outside 1500
mtu inside 1500

!--- Verizon DSL (Static)
ip address outside

!--- Verizon DSL (Dymanic)
NO ip address outside pppoe setroute

!--- Company Server
NO ip address outside dhcp setroute

ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm location outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 130200
nat (inside) 1 0 0
static (inside,outside) tcp interface 5452 3389 netmask 0 0
static (inside,outside) tcp 5451 www netmask 0 0
static (inside,outside) tcp 5455 www netmask 0 0
access-group outside_access_in in interface outside
timeout xlate 1:00:00
timeout conn 0:33:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http outside
http inside
no snmp-server location
no snmp-server contact
snmp-server community public%d
no snmp-server enable traps
no floodguard enable
crypto map mymap 10 ipsec-isakmp
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet outside
telnet timeout 5
ssh timeout 60
console timeout 0
vpdn group pppoe_group request dialout pppoe
vpdn group pppoe_group localname xyz
vpdn group pppoe_group ppp authentication pap
vpdn username xyz password ********* store-local
dhcpd address inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
>access-list nonat permit ip

Create a 2nd access-list that is just the same that can be used by the crypto map
   access-list crypto permit ip

   crypto map mymap 10 match address crypto

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sfaruqiAuthor Commented:
Thanks Irmoore. I entered as you said and the PIX took perfectly without Error!

!--- Verizon DSL (Static)
ip address outside

For my VPN which is static, I understand that

route outside 1
ip address outside

What should be the above two "route outside" & "ip address outside", if I have to setup for pppoe or dhcp?

!--- Verizon DSL (Dymanic)
ip address outside pppoe setroute
!--- Company Server
ip address outside dhcp setroute

Actually I am testing my firewall at office where I have one Static IP to Netscreen and a dynamic IP to Pix501 but eventually I have to move it to remote location at president Home static IP.

Thanks again for your help.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.