PIX501: Cisco VPN to Netscreen 5XP Error multiple uses of a given ACL

Posted on 2004-10-28
Last Modified: 2013-11-16
                    !!---Pix501- - -!!- - - -
                                                      - - - ! - - -
                                                    ! Internet ! -  - - - -
                                                      - - - - - - -            !
                                                                   !! Netscreen 5XP !!
                                                                                  !                                                                                                                               192.168.101.x

Trying to insert following codes from Cisco link for VPN with Netscreen device and getting error on this command:

crypto map mymap 10 match address nonat

"PDM has encountered a firewall config cmd that PDM doest support. Configuration parsing has been stopped. PDM access is now limited to the Home and monitoring views during current session. PDM does not support multiple uses of a given Access Control List."

!--- Access control list (ACL) for interesting traffic to be encrypted and
!--- to bypass the Network Address Translation (NAT) process
access-list nonat permit ip

!--- IP addresses on the interfaces
ip address outside
ip address inside

!--- Bypass of NAT for IPSec interesting inside network traffic
nat (inside) 0 access-list nonat
nat (inside) 1 0 0

!--- Default gateway to the Internet
route outside

!--- This command avoids applied ACLs or conduits on encrypted packets
sysopt connection permit-ipsec

!--- Configuration of IPSec Phase 2
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address nonat                         **// Problem Line//**

crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside

!--- Configuration of IPSec Phase 1
isakmp enable outside

!--- Internet Key Exchange (IKE) pre-shared key
!--- that the peers will use to authenticate
isakmp key testme address netmask
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Any help how to setup this VPN. Thanks,

Question by:sfaruqi

    Author Comment

    This is the current config where I tried inserting codes from url link in PDM multiple command send option.

    Building configuration...
    : Saved
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewalltest
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    object-group service RmDskTp tcp
      description Remote Desk Top
      port-object range 3389 3389
    object-group service Port5451http tcp
      description Http Port 5451
      port-object range 5451 5451
    access-list outside_access_in permit tcp any interface outside eq 5452
    access-list outside_access_in permit tcp any interface outside eq 5455
    access-list outside_access_in permit tcp any interface outside eq 5451
    access-list nonat permit ip
    pager lines 24
    mtu outside 1500
    mtu inside 1500

    !--- Verizon DSL (Static)
    ip address outside

    !--- Verizon DSL (Dymanic)
    NO ip address outside pppoe setroute

    !--- Company Server
    NO ip address outside dhcp setroute

    ip address inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (inside) 130200
    nat (inside) 1 0 0
    static (inside,outside) tcp interface 5452 3389 netmask 0 0
    static (inside,outside) tcp 5451 www netmask 0 0
    static (inside,outside) tcp 5455 www netmask 0 0
    access-group outside_access_in in interface outside
    timeout xlate 1:00:00
    timeout conn 0:33:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http outside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public%d
    no snmp-server enable traps
    no floodguard enable
    crypto map mymap 10 ipsec-isakmp
    isakmp policy 10 authentication rsa-sig
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet outside
    telnet timeout 5
    ssh timeout 60
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname xyz
    vpdn group pppoe_group ppp authentication pap
    vpdn username xyz password ********* store-local
    dhcpd address inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    LVL 79

    Accepted Solution

    >access-list nonat permit ip

    Create a 2nd access-list that is just the same that can be used by the crypto map
       access-list crypto permit ip

       crypto map mymap 10 match address crypto

    Author Comment

    Thanks Irmoore. I entered as you said and the PIX took perfectly without Error!

    !--- Verizon DSL (Static)
    ip address outside

    For my VPN which is static, I understand that

    route outside 1
    ip address outside

    What should be the above two "route outside" & "ip address outside", if I have to setup for pppoe or dhcp?

    !--- Verizon DSL (Dymanic)
    ip address outside pppoe setroute
    !--- Company Server
    ip address outside dhcp setroute

    Actually I am testing my firewall at office where I have one Static IP to Netscreen and a dynamic IP to Pix501 but eventually I have to move it to remote location at president Home static IP.

    Thanks again for your help.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Suggested Solutions

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now