pdm pix 515

lyes.ouarti · ‎05-13-2004

hi,

i installed pdm on my pix, but it tells me that i can just monitor and i cant change the configuration because there is a command statement that is not supported.

here is a sh conf

PIX Version 6.3(1)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password ncrypted

passwd encrypted

hostname pix

domain-name YA-algerie.com

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

access-list INSIDE-OUTSIDE remark -- ACL POUR SERVEUR DE MESSAGERIE

access-list INSIDE-OUTSIDE permit icmp any any source-quench

access-list INSIDE-OUTSIDE permit icmp any any parameter-problem

access-list INSIDE-OUTSIDE permit icmp any any unreachable

access-list INSIDE-OUTSIDE permit icmp any any time-exceeded

access-list INSIDE-OUTSIDE permit icmp any any echo-reply

access-list INSIDE-OUTSIDE permit tcp any host 81.22.0.1 eq smtp

access-list INSIDE-OUTSIDE permit tcp any host 81.22.0.1 eq pop3

access-list INSIDE-OUTSIDE permit tcp any host 81.22.0.1 eq imap4

access-list INSIDE-OUTSIDE permit tcp any host 81.22.0.1 eq www

access-list VPN remark -- VPN WATANIYA SHERATON

access-list VPN permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list VPN permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list VPN permit ip 192.168.2.0 255.255.255.0 any

access-list VPN permit ip any 192.168.2.0 255.255.255.0

pager lines 24

logging on

logging trap debugging

logging host inside 192.168.1.50

icmp deny any echo outside

mtu outside 1500

mtu inside 1500

ip address outside .255.255.240

ip address inside 255.255.255.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list VPN

nat (inside) 1 192.168.1.0 255.255.255.0 2000 1800

static (inside,outside) 81.22.0.1 192.168.98.100 netmask 255.255.255.255 10000 8000

access-group INSIDE-OUTSIDE in interface outside

route outside 0.0.0.0 0.0.0.0 81.22.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set esp-des esp-md5-hmac

crypto map 1 ipsec-isakmp

crypto map 1 match address VPN

crypto map 1 set peer 82.101.133.11

crypto map 1 set transform-set WATANIYA

crypto map interface outside

isakmp enable outside

isakmp key address 82.101.133.11 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

telnet 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

terminal width 80

Cryptochecksum:14d55fc7f7cb78d350ca369cb9ac8715

thanks.

drolemc · ‎05-19-2004

What you need to do is to refer to the documentation for the PDM version you are running and see if all the commands in your config are supported in that version. If not, you will need to remove those command from the config or be contented with reduced functionality. Another option would be to switch to a later version of PDM. With each new version, a larger set of commands is supported.