Cisco PIX 520 - PIX Firewall 520 Online Help Manual page 101

User guide

Hide thumbs Also See for PIX 520 - PIX Firewall 520:

Installation manual (58 pages)

User manual (24 pages)

User manual (114 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

page of 256

/ 256
Contents
Table of Contents
Bookmarks

Table of Contents

alias

establish

outbound id except

static [used for inbound PAT]

nat [( if_name )] 0 access-list acl_name

Unsupported Command Combinations Causing Monitor Only Mode

:In addition, the following command combinations will cause PDM to enter the

aaa command with the match option appearing in the configuration with other aaa commands that contain the include or exclude options.

For example, the following commands would not be parsed by PDM:

access-list 101 permit tcp any any

aaa authentication include http inside 1.1.1.1 255.255.255.255 0.0.0.0 0.0.0.0 portal

aaa accounting match 101 inside portal

You can fix this by changing aaa commands exclusively to either the match acl style or to the include/exclude style.

access-list—Certain combinations of access control lists are unsupported.

Combining the access-list and access-group command statements with conduit and/or outbound command statements. For example,

the following commands appearing anywhere in the configuration (not necessarily together) would not be parsed by PDM:

access-list 101 permit ip 172.21.3.0 255.255.0.0 172.22.2.0 255.255.0.0

access-group 101 in interface outside

conduit permit icmp any any

Using an ACL (access control list) for multiple interfaces. For example, the access-list eng permit ip any server1 255.255.255.255

access-group eng in interface perim

access-group eng in interface outside

Using an ACL name for multiple purposes such as in an access-group command statement and in an aaa command statement. For

example, the following commands would not be parsed by PDM:

access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-group acl_out in interface outside

aaa authentication match acl_out outside AuthIn

In this example, the access-list command statement is applied to the outside interface by the access-group command. The same ACL

name cannot then be used by the aaa command statement. You can fix this example by creating an access-list command statement

without an accompanying access-group command statement and then applying that to the aaa command statement. For example:

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

Using an ACL for multiple purposes (such as authentication, authorization, or accounting). For example, the following command

statements cannot be parsed by PDM:

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

aaa authorization match acl_out2 outside AuthIn

In this example, the access-list command statement is applied to the outside interface by the aaa authentication command. Using the

acl_out2 ACL name for both authentication and authorization cannot be parsed by PDM. You can fix this by creating another

access-list command statement the same as the first and applying that in the aaa authorization command. For example:

access-list acl_out2 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

access-list acl_out3 permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224

aaa authentication match acl_out2 outside AuthIn

aaa authorization match acl_out3 outside AuthIn

outbound

Any outbound command statement that contains the except option. In most cases, you should be able to rewrite the outbound

command statements using the permit or deny options to eliminate the use of the except option. Once the except option is replaced

with permit or deny, PDM functions normally.

Applying an outbound command statement group to multiple interfaces. For example, the following would not be parsed by PDM:

Administer overlapping addresses with dual NAT. Also permits inside interface access to a DNS server

on a perimeter interface.

Permit return connections on ports other than those used for the originating connection based on an

established connection.

Create an access list to control outbound connections.

Funnel inbound connections through a single IP address.

Associate an access list with network address translation (NAT).

If used only for VPN purposes, PDM parses and ignores this command. Note: When encountered in a

configuration, PDM will display a dialog box to specify its purpose. If used for non-VPN use or, mixed

with VPN and non-VPN use, Monitor Only mode will be entered.

Monitor Only mode

when detected in the configuration:

Table of Contents

This manual is also suitable for:

Pix device manager 1.1

Cisco PIX 520 - PIX Firewall 520 Online Help Manual page 101

Related Manuals for Cisco PIX 520 - PIX Firewall 520

Related Products for Cisco PIX 520 - PIX Firewall 520

This manual is also suitable for:

Table of Contents