Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > can't delete ACL

Reply
Thread Tools

can't delete ACL

 
 
cisco
Guest
Posts: n/a
 
      11-15-2007
Hi All: I was trying to clean out some old configuration lines in my 506e
(6.3.(4)) config prior to setting up a pix-to-pix VPN. I was able to get the
VPN set up using some CLI examples, and it's working fine, but now I can't
load PDM and am getting the "multiple uses of ACL" error.

I've been trying to delete some more lines to try to identify the problem,
but the commands, even when successful, do not seem to be getting saved when
using the CLI from the PDM interface.

My config is below.

The only thing I need to preserve is the VPN between 192.168.0.x and
192.168.1.x.

"vlan20" is not necessary.

Is the line:

nat (inside) 0 sql-pix 255.255.255.255 0 0


causing the problem? If so, it's not necessary, but trying to delete it from
the CLI doesn't work (error is "sql-pix" doesn't exist).

Also these lines

access-list inside_outbound_nat0_acl permit ip host joejob-sql
192.168.4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host joejob-sql2
192.168.4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.10.32
255.255.255.224
access-list inside_outbound_nat0_acl permit ip any 192.168.2.16
255.255.255.240

are left over from some client VPNs that were deleted. Any help would be
appreciated!


Result of firewall command: "show config"

: Saved
: Written by enable_15 at 03:19:09.103 PST Sat Nov 10 2007
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet1 vlan20 logical
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif vlan20 tempswitch security52
enable password RQPm7xkzY.37Q.Ne encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname joejobPIX-main
domain-name joejob.com
clock timezone PST -8
clock summer-time PDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.2 sql-pix
name 192.168.1.20 joejob-sql
name 192.168.1.21 joejob-sql2
name 207.206.235.246 mail
name 192.168.1.5 minimail
name 192.168.2.10 templan2
object-group service webservers tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq smtp
port-object range 497 497
port-object range 99 99
port-object range 3389 3389
object-group network webservices
network-object 192.168.1.6 255.255.255.255
network-object 192.168.1.7 255.255.255.255
network-object 192.168.1.10 255.255.255.255
network-object minimail 255.255.255.255
object-group network webservices_ref
network-object 207.206.235.243 255.255.255.255
network-object 207.206.235.244 255.255.255.255
network-object 207.206.235.245 255.255.255.255
network-object mail 255.255.255.255
object-group service mail tcp
port-object eq smtp
object-group service mail-udp udp
port-object range 407 407
access-list outside_access_in permit tcp any object-group webservices_ref
object-group webservers
access-list outside_access_in permit tcp any host 207.206.235.245
object-group mail
access-list inside_access_in permit ip any any
access-list inside_outbound_nat0_acl permit ip host 192.168.1.6 192.168.4.0
255.255.255.0
access-list inside_outbound_nat0_acl permit ip host 192.168.1.10 192.168.4.0
255.255.255.0
access-list inside_outbound_nat0_acl permit ip host joejob-sql 192.168.4.0
255.255.255.0
access-list inside_outbound_nat0_acl permit ip host joejob-sql2 192.168.4.0
255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.10.32
255.255.255.224
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
192.168.0.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip any 192.168.2.16
255.255.255.240
access-list inside_outbound_nat0_acl permit ip host 192.168.1.10
192.168.2.16 255.255.255.240
access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 207.206.235.242 255.255.255.248
ip address inside 192.168.1.1 255.255.255.0
ip address tempswitch 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 68.161.247.47 255.255.255.255 outside
pdm location 192.168.1.6 255.255.255.255 inside
pdm location 192.168.1.7 255.255.255.255 inside
pdm location 207.206.235.243 255.255.255.255 outside
pdm location 207.206.235.244 255.255.255.255 outside
pdm location 207.206.235.245 255.255.255.255 outside
pdm location 192.168.1.10 255.255.255.255 inside
pdm location sql-pix 255.255.255.255 inside
pdm location mail 255.255.255.255 outside
pdm location joejob-sql2 255.255.255.255 inside
pdm location joejob-sql 255.255.255.255 inside
pdm location minimail 255.255.255.255 inside
pdm location 207.158.46.215 255.255.255.255 outside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 192.168.10.32 255.255.255.224 outside
pdm location 192.168.2.16 255.255.255.240 outside
pdm location templan2 255.255.255.255 tempswitch
pdm group webservices inside
pdm group webservices_ref outside reference webservices
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outside_cryptomap_20
nat (inside) 0 sql-pix 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (outside,inside) 192.168.1.6 207.206.235.243 netmask 255.255.255.255
0 0
static (outside,inside) 192.168.1.7 207.206.235.244 netmask 255.255.255.255
0 0
static (outside,inside) 192.168.1.10 207.206.235.245 netmask 255.255.255.255
0 0
static (outside,inside) minimail mail netmask 255.255.255.255 0 0
static (inside,outside) 207.206.235.243 192.168.1.6 netmask 255.255.255.255
0 0
static (inside,outside) 207.206.235.244 192.168.1.7 netmask 255.255.255.255
0 0
static (inside,outside) 207.206.235.245 192.168.1.10 netmask 255.255.255.255
0 0
static (inside,outside) mail minimail netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 207.206.235.241 1
route outside 207.206.235.243 255.255.255.255 192.168.1.6 1
route outside 207.206.235.244 255.255.255.255 192.168.1.7 1
route outside 207.206.235.245 255.255.255.255 192.168.1.10 1
route outside mail 255.255.255.255 minimail 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map_1 20 ipsec-isakmp
crypto map outside_map_1 20 match address outside_cryptomap_20
crypto map outside_map_1 20 set peer 200.0.0.50
crypto map outside_map_1 20 set transform-set strong
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp key ******** address 200.0.0.50 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 45 authentication pre-share
isakmp policy 45 encryption 3des
isakmp policy 45 hash md5
isakmp policy 45 group 2
isakmp policy 45 lifetime 86400
telnet timeout 5
ssh 68.161.247.47 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address sql-pix-192.168.1.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username alfred_korn password f2mKLnt4eoMwYNJU encrypted privilege 15
username andrew_kagan password AMyxAR0GCXfFqU4L encrypted privilege 15
terminal width 80
Cryptochecksum:c232e0ee04207b1e8da7e47f17a57295



 
Reply With Quote
 
 
 
 
CK
Guest
Posts: n/a
 
      11-16-2007
You can try deleteing whole access-list "inside_outbound_nat0_acl"
And for address-group dhcpd address "sql-pix" DHCPD may be the
problem
try deleting this 1st "dhcpd address sql-pix-192.168.1.254 inside"
after that try moving forward
 
Reply With Quote
 
 
 
 
cisco
Guest
Posts: n/a
 
      11-16-2007
thanks...I did in fact delete all the old stuff out finally and was able to
get it to work.

What was happening was I was locked out of PDM, so I couldn't save changes
unless I exited PDM (at which time I was prompted to "save configuration").
After logging back in several times, deleting and "forcing" PDM to save, I
was able to clean out the config properly.

I prolly could have used write mem in the CLI, but was in a panic and didn't
think of it

All's working now though.

--

"CK" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> You can try deleteing whole access-list "inside_outbound_nat0_acl"
> And for address-group dhcpd address "sql-pix" DHCPD may be the
> problem
> try deleting this 1st "dhcpd address sql-pix-192.168.1.254 inside"
> after that try moving forward



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dhcp Relay Agent And Acl On Sw 3750, DHCP Relay Agent and ACL on Sw 3750 Vimokh Cisco 3 09-06-2006 02:16 AM
To delete or not to delete? Lethal Computer Support 15 07-24-2005 11:47 PM
Can someone tell me why I can't delete this file? and why it blue screens WinXP Pro on delete? zZz Computer Support 1 01-12-2005 02:37 AM
PIX - Can extended ACL's be used as crypto ACL's on a PIX Shad T Cisco 0 06-29-2004 06:27 PM
Cannot Delete, (The Delete Key Won't Work) Lee Something Computer Support 13 10-15-2003 09:51 PM



Advertisments