can't delete ACL

Discussion in 'Cisco' started by cisco, Nov 15, 2007.

  1. cisco

    cisco Guest

    Hi All: I was trying to clean out some old configuration lines in my 506e
    (6.3.(4)) config prior to setting up a pix-to-pix VPN. I was able to get the
    VPN set up using some CLI examples, and it's working fine, but now I can't
    load PDM and am getting the "multiple uses of ACL" error.

    I've been trying to delete some more lines to try to identify the problem,
    but the commands, even when successful, do not seem to be getting saved when
    using the CLI from the PDM interface.

    My config is below.

    The only thing I need to preserve is the VPN between 192.168.0.x and
    192.168.1.x.

    "vlan20" is not necessary.

    Is the line:

    nat (inside) 0 sql-pix 255.255.255.255 0 0


    causing the problem? If so, it's not necessary, but trying to delete it from
    the CLI doesn't work (error is "sql-pix" doesn't exist).

    Also these lines

    access-list inside_outbound_nat0_acl permit ip host joejob-sql
    192.168.4.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip host joejob-sql2
    192.168.4.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.10.32
    255.255.255.224
    access-list inside_outbound_nat0_acl permit ip any 192.168.2.16
    255.255.255.240

    are left over from some client VPNs that were deleted. Any help would be
    appreciated!


    Result of firewall command: "show config"

    : Saved
    : Written by enable_15 at 03:19:09.103 PST Sat Nov 10 2007
    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    interface ethernet1 vlan20 logical
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif vlan20 tempswitch security52
    enable password RQPm7xkzY.37Q.Ne encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname joejobPIX-main
    domain-name joejob.com
    clock timezone PST -8
    clock summer-time PDT recurring
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    no fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 192.168.1.2 sql-pix
    name 192.168.1.20 joejob-sql
    name 192.168.1.21 joejob-sql2
    name 207.206.235.246 mail
    name 192.168.1.5 minimail
    name 192.168.2.10 templan2
    object-group service webservers tcp
    port-object eq ftp
    port-object eq ftp-data
    port-object eq www
    port-object eq https
    port-object eq smtp
    port-object range 497 497
    port-object range 99 99
    port-object range 3389 3389
    object-group network webservices
    network-object 192.168.1.6 255.255.255.255
    network-object 192.168.1.7 255.255.255.255
    network-object 192.168.1.10 255.255.255.255
    network-object minimail 255.255.255.255
    object-group network webservices_ref
    network-object 207.206.235.243 255.255.255.255
    network-object 207.206.235.244 255.255.255.255
    network-object 207.206.235.245 255.255.255.255
    network-object mail 255.255.255.255
    object-group service mail tcp
    port-object eq smtp
    object-group service mail-udp udp
    port-object range 407 407
    access-list outside_access_in permit tcp any object-group webservices_ref
    object-group webservers
    access-list outside_access_in permit tcp any host 207.206.235.245
    object-group mail
    access-list inside_access_in permit ip any any
    access-list inside_outbound_nat0_acl permit ip host 192.168.1.6 192.168.4.0
    255.255.255.0
    access-list inside_outbound_nat0_acl permit ip host 192.168.1.10 192.168.4.0
    255.255.255.0
    access-list inside_outbound_nat0_acl permit ip host joejob-sql 192.168.4.0
    255.255.255.0
    access-list inside_outbound_nat0_acl permit ip host joejob-sql2 192.168.4.0
    255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.10.32
    255.255.255.224
    access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0
    192.168.0.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip any 192.168.2.16
    255.255.255.240
    access-list inside_outbound_nat0_acl permit ip host 192.168.1.10
    192.168.2.16 255.255.255.240
    access-list outside_cryptomap_20 permit ip 192.168.1.0 255.255.255.0
    192.168.0.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address outside 207.206.235.242 255.255.255.248
    ip address inside 192.168.1.1 255.255.255.0
    ip address tempswitch 192.168.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 68.161.247.47 255.255.255.255 outside
    pdm location 192.168.1.6 255.255.255.255 inside
    pdm location 192.168.1.7 255.255.255.255 inside
    pdm location 207.206.235.243 255.255.255.255 outside
    pdm location 207.206.235.244 255.255.255.255 outside
    pdm location 207.206.235.245 255.255.255.255 outside
    pdm location 192.168.1.10 255.255.255.255 inside
    pdm location sql-pix 255.255.255.255 inside
    pdm location mail 255.255.255.255 outside
    pdm location joejob-sql2 255.255.255.255 inside
    pdm location joejob-sql 255.255.255.255 inside
    pdm location minimail 255.255.255.255 inside
    pdm location 207.158.46.215 255.255.255.255 outside
    pdm location 192.168.0.0 255.255.255.0 outside
    pdm location 192.168.10.32 255.255.255.224 outside
    pdm location 192.168.2.16 255.255.255.240 outside
    pdm location templan2 255.255.255.255 tempswitch
    pdm group webservices inside
    pdm group webservices_ref outside reference webservices
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list outside_cryptomap_20
    nat (inside) 0 sql-pix 255.255.255.255 0 0
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (outside,inside) 192.168.1.6 207.206.235.243 netmask 255.255.255.255
    0 0
    static (outside,inside) 192.168.1.7 207.206.235.244 netmask 255.255.255.255
    0 0
    static (outside,inside) 192.168.1.10 207.206.235.245 netmask 255.255.255.255
    0 0
    static (outside,inside) minimail mail netmask 255.255.255.255 0 0
    static (inside,outside) 207.206.235.243 192.168.1.6 netmask 255.255.255.255
    0 0
    static (inside,outside) 207.206.235.244 192.168.1.7 netmask 255.255.255.255
    0 0
    static (inside,outside) 207.206.235.245 192.168.1.10 netmask 255.255.255.255
    0 0
    static (inside,outside) mail minimail netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 207.206.235.241 1
    route outside 207.206.235.243 255.255.255.255 192.168.1.6 1
    route outside 207.206.235.244 255.255.255.255 192.168.1.7 1
    route outside 207.206.235.245 255.255.255.255 192.168.1.10 1
    route outside mail 255.255.255.255 minimail 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt noproxyarp inside
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set strong esp-3des esp-sha-hmac
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map_1 20 ipsec-isakmp
    crypto map outside_map_1 20 match address outside_cryptomap_20
    crypto map outside_map_1 20 set peer 200.0.0.50
    crypto map outside_map_1 20 set transform-set strong
    crypto map outside_map_1 interface outside
    isakmp enable outside
    isakmp key ******** address 200.0.0.50 netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp identity address
    isakmp policy 8 authentication pre-share
    isakmp policy 8 encryption 3des
    isakmp policy 8 hash sha
    isakmp policy 8 group 2
    isakmp policy 8 lifetime 86400
    isakmp policy 45 authentication pre-share
    isakmp policy 45 encryption 3des
    isakmp policy 45 hash md5
    isakmp policy 45 group 2
    isakmp policy 45 lifetime 86400
    telnet timeout 5
    ssh 68.161.247.47 255.255.255.255 outside
    ssh timeout 5
    console timeout 0
    dhcpd address sql-pix-192.168.1.254 inside
    dhcpd lease 3600
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    username alfred_korn password f2mKLnt4eoMwYNJU encrypted privilege 15
    username andrew_kagan password AMyxAR0GCXfFqU4L encrypted privilege 15
    terminal width 80
    Cryptochecksum:c232e0ee04207b1e8da7e47f17a57295
     
    cisco, Nov 15, 2007
    #1
    1. Advertising

  2. cisco

    CK Guest

    You can try deleteing whole access-list "inside_outbound_nat0_acl"
    And for address-group dhcpd address "sql-pix" DHCPD may be the
    problem
    try deleting this 1st "dhcpd address sql-pix-192.168.1.254 inside"
    after that try moving forward
     
    CK, Nov 16, 2007
    #2
    1. Advertising

  3. cisco

    cisco Guest

    thanks...I did in fact delete all the old stuff out finally and was able to
    get it to work.

    What was happening was I was locked out of PDM, so I couldn't save changes
    unless I exited PDM (at which time I was prompted to "save configuration").
    After logging back in several times, deleting and "forcing" PDM to save, I
    was able to clean out the config properly.

    I prolly could have used write mem in the CLI, but was in a panic and didn't
    think of it :(

    All's working now though.

    --

    "CK" <> wrote in message
    news:...
    > You can try deleteing whole access-list "inside_outbound_nat0_acl"
    > And for address-group dhcpd address "sql-pix" DHCPD may be the
    > problem
    > try deleting this 1st "dhcpd address sql-pix-192.168.1.254 inside"
    > after that try moving forward
     
    cisco, Nov 16, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Shad T
    Replies:
    0
    Views:
    655
    Shad T
    Jun 29, 2004
  2. Lee Something

    Cannot Delete, (The Delete Key Won't Work)

    Lee Something, Oct 15, 2003, in forum: Computer Support
    Replies:
    13
    Views:
    7,742
    trout
    Oct 15, 2003
  3. zZz
    Replies:
    1
    Views:
    1,010
    SgtMinor
    Jan 12, 2005
  4. Lethal

    To delete or not to delete?

    Lethal, Jul 22, 2005, in forum: Computer Support
    Replies:
    15
    Views:
    982
    Lethal
    Jul 25, 2005
  5. Vimokh
    Replies:
    3
    Views:
    5,725
    Vimokh
    Sep 6, 2006
Loading...

Share This Page