?
Solved

Unsupported Command Found - when loading PDM - Cisco PIX Firewall

Posted on 2007-07-20
6
Medium Priority
?
617 Views
Last Modified: 2008-01-09
Hello,
I inherited a cisco pix firewall network and I know very basic cisco commands.  I manage other firewalls and vpn (checkpoint, etc.) but am unfamiliar with pix except basic stuff.  I had some help getting the PDM installed.  In loading it, I am only able to monitor and view and not make config changes.  The error is
"Unsupported Command Found
PDM has encountered a PIX firewall configuration command statement that
PDM does not support.............
"access control list vpnrule is applied to interface for outside nat 0  and vpn client group VPNTunnel for split tunneling.  PDM does not support multiple uses of a given access control list."

I don't want to change this without knowing what I am doing as I don't want to break anything.
Here is a copy of the config.  Any help would be highly appreciated.

interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password nnrqBhjuoeN1EujYGU encrypted
passwd 2KFQnbNIdI.45KYOU encrypted
hostname fw01.cv
domain-name arborwell.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit tcp any host 213.21.142.163 eq citrix-ica
access-list outside_access_in permit tcp any host 213.21.142.163 eq 3389
access-list outside_access_in permit tcp any host 213.21.142.164 eq www
access-list outside_access_in permit tcp any host 213.21.142.164 eq smtp
access-list outside_access_in permit tcp any host 213.21.142.165 eq citrix-ica
access-list outside_access_in permit tcp any host 213.21.142.165 eq 3389
access-list vpnrule permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
pager lines 24
logging on
logging timestamp
logging buffered errors
logging trap errors
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 213.21.142.162 255.255.255.248
ip address inside 192.168.1.254 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNpool 192.168.1.2-192.168.1.50
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpnrule
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 213.21.142.163 192.168.1.251 netmask 255.255.255.255 0 0
static (inside,outside) 213.21.142.164 192.168.1.200 netmask 255.255.255.255 0 0
static (inside,outside) 213.21.142.165 192.168.1.201 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 21.24.132.161 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
ntp server 209.81.9.7 source outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup VPNtunnel address-pool VPNpool
vpngroup VPNtunnel dns-server 192.168.1.10
vpngroup VPNtunnel default-domain asterdog.local
vpngroup VPNtunnel split-tunnel vpnrule
vpngroup VPNtunnel idle-time 1800
vpngroup VPNtunnel password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
username mmorgan password A9rtrlrLtdPYazx/ encrypted privilege 2
username rcallis password i267OnOKyql2Vw5w encrypted privilege 2
username berne password breufodofi878787 encrypted privilege 2
Cryptochecksum:d4fa1866769fbeb7ff4890fd32890725
0
Comment
Question by:fitzpab
  • 3
  • 3
6 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 19536053
Pretty simple to overcome:
Given:
> access-list vpnrule permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

Add this:
 access-listnat_zero permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
 no nat (inside) 0 access-list vpnrule
 nat (inside) 0 access-list nat_zero

Done.
0
 
LVL 1

Author Comment

by:fitzpab
ID: 19536369
Do I then delete this rule?
> access-list vpnrule permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0

what about this rule?
vpngroup VPNtunnel split-tunnel vpnrule

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19536387
No, keep it. You will then have 2 acls that are essentially the same.
1 applied to nat 0
1 applied to the split-tunnel
PDM is happy
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:fitzpab
ID: 19536687
Cool...I'll try this on monday and close out this questions
0
 
LVL 1

Author Comment

by:fitzpab
ID: 19561480
Thanks!   This worked like a charm.
In case anyone views this, the command was missing a space between ...list and nat...
access-list nat_zero permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 19564434
Sorry about that. Typo on my part...
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question