Solved

PIX501: Cisco VPN to Netscreen 5XP Error multiple uses of a given ACL

Posted on 2004-10-28
1,347 Views
Last Modified: 2013-11-16
VPN:
        192.168.100.x
                               !
                    !!---Pix501- - -!!- - - - 141.157.215.104
                                                            !
                                                      - - - ! - - -
                                                    ! Internet ! -  - - - -
                                                      - - - - - - -            !
                                                                                 !
                                                                     141.157.215.141
                                                                                  !
                                                                                  !
                                                                   !! Netscreen 5XP !!
                                                                                  !                                                                                                                               192.168.101.x

Trying to insert following codes from Cisco link for VPN with Netscreen device and getting error on this command:

crypto map mymap 10 match address nonat

"PDM has encountered a firewall config cmd that PDM doest support. Configuration parsing has been stopped. PDM access is now limited to the Home and monitoring views during current session. PDM does not support multiple uses of a given Access Control List."

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801c4445.shtml

!--- Access control list (ACL) for interesting traffic to be encrypted and
!--- to bypass the Network Address Translation (NAT) process
access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

!--- IP addresses on the interfaces
ip address outside 141.157.215.104 255.255.255.0
ip address inside 192.168.100.1 255.255.255.0

!--- Bypass of NAT for IPSec interesting inside network traffic
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

!--- Default gateway to the Internet
route outside 0.0.0.0 0.0.0.0 141.157.215.1

!--- This command avoids applied ACLs or conduits on encrypted packets
sysopt connection permit-ipsec

!--- Configuration of IPSec Phase 2
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address nonat                         **// Problem Line//**

crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 68.236.165.186
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside

!--- Configuration of IPSec Phase 1
isakmp enable outside

!--- Internet Key Exchange (IKE) pre-shared key
!--- that the peers will use to authenticate
isakmp key testme address 141.157.215.144 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Any help how to setup this VPN. Thanks,

faruqi
0
Question by:sfaruqi
    3 Comments
     

    Author Comment

    by:sfaruqi
    This is the current config where I tried inserting codes from url link in PDM multiple command send option.

    Building configuration...
    : Saved
    :
    PIX Version 6.3(1)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pixfirewalltest
    domain-name ciscopixtest.com
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    names
    object-group service RmDskTp tcp
      description Remote Desk Top
      port-object range 3389 3389
    object-group service Port5451http tcp
      description Http Port 5451
      port-object range 5451 5451
    access-list outside_access_in permit tcp any interface outside eq 5452
    access-list outside_access_in permit tcp any interface outside eq 5455
    access-list outside_access_in permit tcp any interface outside eq 5451
    access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500

    !--- Verizon DSL (Static)
    ip address outside 141.157.215.104

    !--- Verizon DSL (Dymanic)
    NO ip address outside pppoe setroute

    !--- Company Server
    NO ip address outside dhcp setroute

    ip address inside 192.168.100.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.100.6 255.255.255.255 outside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (inside) 130200 192.168.100.130-192.168.100.200
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 5452 192.168.100.2 3389 netmask 255.255.255.255 0 0
    static (inside,outside) tcp 141.157.233.104 5451 192.168.100.2 www netmask 255.255.255.255 0 0
    static (inside,outside) tcp 141.157.233.104 5455 192.168.100.12 www netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    timeout xlate 1:00:00
    timeout conn 0:33:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public%d
    no snmp-server enable traps
    no floodguard enable
    crypto map mymap 10 ipsec-isakmp
    isakmp policy 10 authentication rsa-sig
    isakmp policy 10 encryption des
    isakmp policy 10 hash sha
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    telnet 0.0.0.0 0.0.0.0 outside
    telnet timeout 5
    ssh timeout 60
    console timeout 0
    vpdn group pppoe_group request dialout pppoe
    vpdn group pppoe_group localname xyz
    vpdn group pppoe_group ppp authentication pap
    vpdn username xyz password ********* store-local
    dhcpd address 192.168.100.2-192.168.100.129 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    terminal width 80
    [OK]
    0
     
    LVL 79

    Accepted Solution

    by:
    >access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

    Create a 2nd access-list that is just the same that can be used by the crypto map
       access-list crypto permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

       crypto map mymap 10 match address crypto
           
    0
     

    Author Comment

    by:sfaruqi
    Thanks Irmoore. I entered as you said and the PIX took perfectly without Error!

    !--- Verizon DSL (Static)
    ip address outside 141.157.215.104

    For my VPN which is static, I understand that

    route outside 0.0.0.0 0.0.0.0 141.157.215.1 1
    ip address outside 141.157.215.104 255.255.255.0

    What should be the above two "route outside" & "ip address outside", if I have to setup for pppoe or dhcp?

    !--- Verizon DSL (Dymanic)
    ip address outside pppoe setroute
    !--- Company Server
    ip address outside dhcp setroute

    Actually I am testing my firewall at office where I have one Static IP to Netscreen and a dynamic IP to Pix501 but eventually I have to move it to remote location at president Home static IP.

    Thanks again for your help.

    faruqi
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Suggested Solutions

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.

    875 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now