Solved: Re: can't load config in to PDM

gdextensis · ‎07-26-2005

I've recently set up an IPsec tunnel between my PIX and a SonicWall at a remote office. Since then, I'm only able to monitor the firewall from the PDM. Any suggestions? I can sanitize my config to post if that would help identify the specific rules.

jmia · ‎08-04-2005

What Robert said is correct,

PDM will do this if you use one access-list in two separate locations

(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255).

I'm assuming you have something like the following in your config:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

crypto map 10 mymap match address nonat

PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

access-list 100 permit ip 10.x.x.x 192.168.x.x

crypto map 10 mymap match address 100

This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.

Hope this helps,

Jay

View solution in original post

didyap · ‎08-01-2005

Here is a document on Installing PDM on a PIX Firewall.

http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/products_installation_guide_chapter09186a00800e3314.html

jmia · ‎08-01-2005

I can't think why you should be having this problem, as I've got site-to-site IPSec vpn between PIX and SonicWall and all is working correctly.

Can you post up your PIX config (take out any sensitive info). Can you not telnet onto the PIX? Can you connect to the PIX via console? or even SSH?

Jay

gdextensis · ‎08-04-2005

I followed the steps outline here and since then I haven't been able to load the config in to the PDM. The tunnels are functioning perfectly and I can log in via SSH. Can anyone see any steps in this PDF that might have a rule that PDM is unfamiliar with? Thank you.

http://www.sonicwall.com/support/pdfs/technotes/vpn_interoperability_between_sonicos30e_and_cisco_pix_firewall.pdf

maraz · ‎08-04-2005

Hello,

The PDM does not like that you have the access-list referenced for both NAT 0 and in the cryptomap. You have to configure another access-list with a different name. So the first access-list should be referenced to NAT 0 and the second access-list to the "match" statement under the crypto map command.

Best Regards

Robert Maras

jmia · ‎08-04-2005

What Robert said is correct,

PDM will do this if you use one access-list in two separate locations

(http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pdm/v_30/pdmrn30.htm#94255).

I'm assuming you have something like the following in your config:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

crypto map 10 mymap match address nonat

PDM will not allow this and put you into monitor mode. What you need to do (which is a better configuration method anyway), is separate the ACL's with the following:

access-list nonat permit ip 10.x.x.x 192.168.x.x

nat (inside) 0 access-list nonat

access-list 100 permit ip 10.x.x.x 192.168.x.x

crypto map 10 mymap match address 100

This separates your crypto and your nonat ACL's. When you only have one IPSec peer then a lot of people do use the same ACL for both, which is fine, but as you've seen it makes PDM barf. Separating the two ACL's is much better because if at some point later you add a second, third, etc IPSec peer, you simply add a new encryption ACL for the new traffic, and add that to your existing nonat ACL.

Hope this helps,

Jay

gdextensis · ‎08-05-2005

With a little fidding, that fixed my problem. Thanks for getting me on the right track, guys!