07-26-2005 12:12 PM - edited 03-09-2019 11:57 AM
I've recently set up an IPsec tunnel between my PIX and a SonicWall at a remote office. Since then, I'm only able to monitor the firewall from the PDM. Any suggestions? I can sanitize my config to post if that would help identify the specific rules.
Solved! Go to Solution.
08-04-2005 11:37 PM
What Robert said is correct,
PDM will do this if you use one access-list in two separate locations
(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255).
I'm assuming you have something like the following in your config:
access-list nonat permit ip 10.x.x.x
nat (inside) 0 access-list nonat
crypto map 10 mymap match address nonat
PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:
access-list nonat permit ip 10.x.x.x
nat (inside) 0 access-list nonat
access-list 100 permit ip 10.x.x.x
crypto map 10 mymap match address 100
This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.
Hope this helps,
Jay
08-01-2005 06:37 AM
Here is a document on Installing PDM on a PIX Firewall.
08-01-2005 07:33 AM
I can't think why you should be having this problem, as I've got site-to-site IPSec vpn between PIX and SonicWall and all is working correctly.
Can you post up your PIX config (take out any sensitive info). Can you not telnet onto the PIX? Can you connect to the PIX via console? or even SSH?
Jay
08-04-2005 03:27 PM
I followed the steps outline here and since then I haven't been able to load the config in to the PDM. The tunnels are functioning perfectly and I can log in via SSH. Can anyone see any steps in this PDF that might have a rule that PDM is unfamiliar with? Thank you.
08-04-2005 11:24 PM
Hello,
The PDM does not like that you have the access-list referenced for both NAT 0 and in the cryptomap. You have to configure another access-list with a different name. So the first access-list should be referenced to NAT 0 and the second access-list to the "match" statement under the crypto map command.
Best Regards
Robert Maras
08-04-2005 11:37 PM
What Robert said is correct,
PDM will do this if you use one access-list in two separate locations
(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255).
I'm assuming you have something like the following in your config:
access-list nonat permit ip 10.x.x.x
nat (inside) 0 access-list nonat
crypto map 10 mymap match address nonat
PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:
access-list nonat permit ip 10.x.x.x
nat (inside) 0 access-list nonat
access-list 100 permit ip 10.x.x.x
crypto map 10 mymap match address 100
This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.
Hope this helps,
Jay
08-05-2005 01:22 AM
With a little fidding, that fixed my problem. Thanks for getting me on the right track, guys!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide