Error while issuing the command in ASA 5510

Unanswered Question
May 7th, 2007

Hi,

the following error message i get with the working ASA & also tried on a newly bought ASA.

i tried issuing "ciscoasa(config)# nat (inside) 0 access-list cbaynonat", the command accepts then added "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" this command also accepts, but when i restart the ASA after this, i get an error message "ERROR: access-list has protocol or port" after getting this error message, i could not find the "nat (inside) 0 access-list cbaynonat" in the configuration, then i removed "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" & added the "ciscoasa(config)# nat (inside) 0 access-list cbaynonat" the command accepts, then command accepts, i found that only after issuing "access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" i get error message, it is not only with the port 21, any port if i add i get that error message. but when i tried issuing "access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0" then restarting the ASA there is no error message. the "nat (inside) 0 access-list cbaynonat" i could able to see in the configuration.

help me out what is the problem, i tried upgrading to 7.2 version also, i get the same error message.

for better understand, find the below.

--------------------------------------

Step:-1

-------

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ERROR: Access-list "cbaynonat" does not exist

ciscoasa(config)#

Step:-2

-------

ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.o eq ftp

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ERROR: access-list has protocol or port

ciscoasa(config)#show run nat

cbayasaapt(config)# sh run nat

nat (inside) 1 172.19.1.0 255.255.255.0

Step:-3

-------

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

ciscoasa(config)#reload

ERROR: access-list has protocol or port -------------------- this message appears at the time of reboot.

cbayasaapt(config)# sh run nat

access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

Step:-4

-------

ciscoasa(config)#no access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

ciscoasa(config)#nat (inside) 0 access-list cbaynonat

ciscoasa(config)#sh run nat

nat (inside) 0 access-list cbaynonat

Step:-5

-------

ciscoasa(config)#access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0

ciscoasa(config)#nat (inside) 0 access-list cbaynonat

ciscoasa(config)#show run nat

cbayasaapt(config)# sh run nat

nat (inside) 0 access-list cbaynonat

nat (inside) 1 172.19.1.0 255.255.255.0

ciscoasa(config)#reload

after reload

ciscoasa(config)show run nat

nat (inside) 0 access-list cbaynonat

access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hoogen_82 Mon, 05/07/2007 - 10:32

Hi,

I am not sure what you are trying to achieve, let me see if I can help you here.

Basically why the error kept coming is because you are doing an identity nat and calling an access-list, this kind of nat the access-list being called should not contain any port numbers it should be IP based only.

I guess you want to do a nonat when the source ip is from 172.19.0.0 to 172.16.0.0 so your configuration is fine after that.

-Hoogen

Do rate if this helps :)

Anand Narayana Mon, 05/07/2007 - 21:54

Hi,

thanks for ur reply, i du agree, but the same it accepts in Cisco PIX. any suggestions?

Anand Narayana Mon, 05/07/2007 - 22:48

Also, if 172.19.5.0(which is vpn client IP) wanted to access only specific port on my network(172.19.1.0), what should i do on my ASA?

Actions

This Discussion