PDM does not support multiple uses of a given

Hello, I am trying to configure VPN connection between two sites. Going through 'Site-to-site VPN configuration Examples' I got nothing succesfull apart of blocking PDM. I was trying to resolve the problem using google- also unsuccesful.

Second question: is it possible to set site to site vpn connection when my firewall got non-routable address on the outside?? (192.168.2.91) Could anybody help me?

maciejk

: Saved : Written by enable_15 at 07:16:24.054 UTC Fri Aug 4 2006 PIX Version 6.3(3) interface ethernet0 100full interface ethernet1 100full interface ethernet2 auto shutdown nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dirty security50 enable password T.OHIqZ2tcoK60qH encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname a-novo.pl domain-name a-novo.pl fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 names name 10.55.100.0 ItaliaETR access-list inside_access_in permit ip any any access-list outside_access_in permit ip any any access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 ItaliaETR 255.255.252.0 access-list inside_outbound_nat0_acl permit ip ItaliaETR 255.255.252.0 any access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 ItaliaETR 255.255.252.0 pager lines 24 logging on mtu outside 1500 mtu inside 1500 mtu dirty 1500 ip address outside 192.168.20.91 255.255.255.0 ip address inside 192.168.0.1 255.255.255.0 ip address dirty 10.0.2.1 255.0.0.0 ip audit info action alarm ip audit attack action alarm no failover failover timeout 0:00:00 failover poll 15 no failover ip address outside no failover ip address inside no failover ip address dirty pdm location 192.168.0.5 255.255.255.255 inside pdm location ItaliaETR 255.255.252.0 outside pdm location ItaliaETR 255.255.252.0 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 192.168.0.0 255.255.255.0 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 192.168.20.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 192.168.0.0 255.255.255.0 inside http 192.168.0.5 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer DEST_IP crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map ouitside_map interface outside isakmp enable outside isakmp enable inside isakmp key ******** address DEST_IP netmask 255.255.255.255 no-xauth no-config-mode isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 terminal width 80
Reply to
Maciej Krzeminski
Loading thread data ...

PDM does not support multiple uses of a given ... Access Control list

mk

Reply to
Maciej Krzeminski

FREE UPDATE TO 6.3(5)

You almost certainly don't want your outside_access_in to be that way: it permits all incoming connections to be attempted.

You do not need your inside_access_in to be like that. If you want all connections to be permitted outward, then just do not have an access-group applied to the inside interface.

name 10.55.100.0 ItaliaETR

ItaliaETR 255.255.252.0

Only the first of those two lines is needed.

255.255.252.0

That's likely to be the source of several problems in your configuration. Everthing else is written as if 10.55.100.0 255.255.252.0 is "outside", but the netmask you have on the interface named "dirty" is such that

10.55.100.0 is in the address space of the "dirty" interface.

That will not make any real functional difference, but the same host cannot be both inside and outside.

You do not appear to need the latter two permit-* .

That map name is not the same as the one you configured. If you copied exactly what was in your configuration then that extra 'i' in ouitside_map would be enough to keep your VPN from working.

It is quite uncommon to need to enable isakmp on your inside interface. I have had my reasons for doing it, but the configuration in my case looked much different than yours.

Yes. The remote end will need to configure the peer address to reflect the static public IP that your 192.168.2.91 gets translated to by the time it reaches them.

If you ultimately do not have a static public IP assigned to you, then you would leave the configuration you have shown as-is, but on the other end you would need to configure a "crypto dynamic map".

The restriction arises because if there is no fixed IP address available to reach your firewall, then it isn't possible [on PIX] to specify that no-fixed-address in a crypto map "set peer" statement, and therefore no way for the other PIX to initiate a connection to you, because it doesn't know what your current IP is. But on the firewall whose address might change, you know the fixed IP of the other end, so the firewall with the varying IP is able to start a connection to the other end at any time.

Reply to
Walter Roberson

Do you regulate who can go outside using the VPNclient? I'm trying to use a sort of authentication to decide who can pass through the device and who can't. In my case I need just authentication, not encryption.

Or maybe are you lending your inside network to someone else who doesn't trust you? I mean, do you permit to them to pass your network through being encrypted?

Alex.

Reply to
AM

No... ?

I don't see the connection between that and enabling isakmp on the inside interface. enabling isakmp is for the case where you need to terminate a connection on that interface; having isakmp pass-through to somewhere else goes through completely different logic. PIX 6 cannot, as far as I can think, do proxy isakmp: it isn't one of the protocols supported by the AAA mechanisms.

I have had two reasons for enabling isakmp on an inside interface:

1) To allow me to test and experiment with the VPN client and with LAN-to-LAN connections locally, in preperation for outside deployment; 2) I had a configuration in which I needed an inside PIX to proxy connections -- places that our main regional office could reach directly, but which our remote offices were blocked to. It happens that the easiest way to do that is to "reverse" a firewall, so that the remote offices come in over a VPN to the -inside- interface of a PIX, with the remote packets then getting NAT'd in the regional address space as they passed outward through the outside PIX interface.
Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.