PDM does not support multiple uses of a given

Discussion in 'Cisco' started by Maciej Krzeminski, Aug 4, 2006.

  1. Hello,
    I am trying to configure VPN connection between two sites. Going through
    'Site-to-site VPN configuration Examples' I got nothing succesfull apart of
    blocking PDM. I was trying to resolve the problem using google- also
    unsuccesful.

    Second question: is it possible to set site to site vpn connection when my
    firewall got non-routable address on the outside?? (192.168.2.91)
    Could anybody help me?

    maciejk


    : Saved
    : Written by enable_15 at 07:16:24.054 UTC Fri Aug 4 2006
    PIX Version 6.3(3)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 auto shutdown
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dirty security50
    enable password T.OHIqZ2tcoK60qH encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname a-novo.pl
    domain-name a-novo.pl
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 10.55.100.0 ItaliaETR
    access-list inside_access_in permit ip any any
    access-list outside_access_in permit ip any any
    access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0
    ItaliaETR 255.255.252.0
    access-list inside_outbound_nat0_acl permit ip ItaliaETR 255.255.252.0 any
    access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0
    ItaliaETR 255.255.252.0
    pager lines 24
    logging on
    mtu outside 1500
    mtu inside 1500
    mtu dirty 1500
    ip address outside 192.168.20.91 255.255.255.0
    ip address inside 192.168.0.1 255.255.255.0
    ip address dirty 10.0.2.1 255.0.0.0
    ip audit info action alarm
    ip audit attack action alarm
    no failover
    failover timeout 0:00:00
    failover poll 15
    no failover ip address outside
    no failover ip address inside
    no failover ip address dirty
    pdm location 192.168.0.5 255.255.255.255 inside
    pdm location ItaliaETR 255.255.252.0 outside
    pdm location ItaliaETR 255.255.252.0 inside
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 192.168.0.0 255.255.255.0 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 192.168.20.1 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    http 192.168.0.5 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    sysopt connection permit-pptp
    sysopt connection permit-l2tp
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set peer DEST_IP
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map ouitside_map interface outside
    isakmp enable outside
    isakmp enable inside
    isakmp key ******** address DEST_IP netmask 255.255.255.255 no-xauth
    no-config-mode
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    terminal width 80
     
    Maciej Krzeminski, Aug 4, 2006
    #1
    1. Advertising

  2. Re: PDM does not support multiple uses of a given...

    PDM does not support multiple uses of a given ... Access Control list



    mk
     
    Maciej Krzeminski, Aug 4, 2006
    #2
    1. Advertising

  3. In article <eav4lc$ec9$>,
    Maciej Krzeminski <> wrote:

    >I am trying to configure VPN connection between two sites. Going through
    >'Site-to-site VPN configuration Examples' I got nothing succesfull apart of
    >blocking PDM.



    >PIX Version 6.3(3)


    <mumble>FREE UPDATE TO 6.3(5)</mumble>

    >access-list outside_access_in permit ip any any
    >access-group outside_access_in in interface outside


    You almost certainly don't want your outside_access_in to be
    that way: it permits all incoming connections to be attempted.

    >access-list inside_access_in permit ip any any
    >access-group inside_access_in in interface inside


    You do not need your inside_access_in to be like that. If you
    want all connections to be permitted outward, then just do not
    have an access-group applied to the inside interface.

    name 10.55.100.0 ItaliaETR

    >access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 ItaliaETR 255.255.252.0
    >access-list inside_outbound_nat0_acl permit ip ItaliaETR 255.255.252.0 any


    Only the first of those two lines is needed.

    >access-list outside_cryptomap_20 permit ip 192.168.0.0 255.255.255.0 ItaliaETR 255.255.252.0


    >ip address outside 192.168.20.91 255.255.255.0
    >ip address inside 192.168.0.1 255.255.255.0


    >ip address dirty 10.0.2.1 255.0.0.0


    That's likely to be the source of several problems in your configuration.
    Everthing else is written as if 10.55.100.0 255.255.252.0 is "outside",
    but the netmask you have on the interface named "dirty" is such that
    10.55.100.0 is in the address space of the "dirty" interface.

    >pdm location ItaliaETR 255.255.252.0 outside
    >pdm location ItaliaETR 255.255.252.0 inside


    That will not make any real functional difference, but the same host
    cannot be both inside and outside.

    >global (outside) 1 interface
    >nat (inside) 0 access-list inside_outbound_nat0_acl
    >nat (inside) 1 192.168.0.0 255.255.255.0 0 0


    >sysopt connection permit-ipsec
    >sysopt connection permit-pptp
    >sysopt connection permit-l2tp


    You do not appear to need the latter two permit-* .

    >crypto map outside_map 20 match address outside_cryptomap_20


    >crypto map ouitside_map interface outside


    That map name is not the same as the one you configured. If you
    copied exactly what was in your configuration then that extra 'i'
    in ouitside_map would be enough to keep your VPN from working.

    >isakmp enable outside
    >isakmp enable inside


    It is quite uncommon to need to enable isakmp on your inside
    interface. I have had my reasons for doing it, but the configuration
    in my case looked much different than yours.

    >isakmp nat-traversal 20



    >Second question: is it possible to set site to site vpn connection when my
    >firewall got non-routable address on the outside?? (192.168.2.91)


    Yes. The remote end will need to configure the peer address to
    reflect the static public IP that your 192.168.2.91 gets translated to
    by the time it reaches them.

    If you ultimately do not have a static public IP assigned to you,
    then you would leave the configuration you have shown as-is, but
    on the other end you would need to configure a "crypto dynamic map".

    The restriction arises because if there is no fixed IP address
    available to reach your firewall, then it isn't possible [on PIX]
    to specify that no-fixed-address in a crypto map "set peer" statement,
    and therefore no way for the other PIX to initiate a connection to
    you, because it doesn't know what your current IP is. But on the
    firewall whose address might change, you know the fixed IP of the
    other end, so the firewall with the varying IP is able to start
    a connection to the other end at any time.
     
    Walter Roberson, Aug 4, 2006
    #3
  4. Maciej Krzeminski

    AM Guest

    Walter Roberson wrote:

    >>isakmp enable outside
    >>isakmp enable inside

    >
    >
    > It is quite uncommon to need to enable isakmp on your inside
    > interface. I have had my reasons for doing it, but the configuration
    > in my case looked much different than yours.


    Do you regulate who can go outside using the VPNclient?
    I'm trying to use a sort of authentication to decide who can pass through the device and who can't.
    In my case I need just authentication, not encryption.

    Or maybe are you lending your inside network to someone else who doesn't trust you? I mean, do you
    permit to them to pass your network through being encrypted?


    Alex.
     
    AM, Aug 4, 2006
    #4
  5. In article <eb06oj$17e$>, AM <> wrote:
    >Walter Roberson wrote:


    >> It is quite uncommon to need to enable isakmp on your inside
    >> interface. I have had my reasons for doing it, but the configuration
    >> in my case looked much different than yours.


    >Do you regulate who can go outside using the VPNclient?


    No... ?

    >I'm trying to use a sort of authentication to decide who can pass
    >through the device and who can't.
    >In my case I need just authentication, not encryption.


    I don't see the connection between that and enabling isakmp on the inside
    interface. enabling isakmp is for the case where you need to terminate
    a connection on that interface; having isakmp pass-through to somewhere
    else goes through completely different logic. PIX 6 cannot, as far as
    I can think, do proxy isakmp: it isn't one of the protocols supported by
    the AAA mechanisms.


    >Or maybe are you lending your inside network to someone else who doesn't
    >trust you? I mean, do you
    >permit to them to pass your network through being encrypted?


    I have had two reasons for enabling isakmp on an inside interface:

    1) To allow me to test and experiment with the VPN client and with
    LAN-to-LAN connections locally, in preperation for outside deployment;

    2) I had a configuration in which I needed an inside PIX to proxy
    connections -- places that our main regional office could reach
    directly, but which our remote offices were blocked to. It happens
    that the easiest way to do that is to "reverse" a firewall, so
    that the remote offices come in over a VPN to the -inside- interface
    of a PIX, with the remote packets then getting NAT'd in the regional
    address space as they passed outward through the outside PIX interface.
     
    Walter Roberson, Aug 6, 2006
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. cisco
    Replies:
    2
    Views:
    602
    cisco
    Feb 21, 2007
  2. cisco
    Replies:
    6
    Views:
    582
    cisco
    Feb 23, 2007
  3. Deadlines
    Replies:
    1
    Views:
    2,720
    Deadlines
    Oct 15, 2007
  4. lougaru
    Replies:
    2
    Views:
    468
    cisco
    Nov 16, 2007
  5. donnadips
    Replies:
    0
    Views:
    1,307
    donnadips
    May 14, 2008
Loading...

Share This Page