access-list protocol or port will not be used

Unanswered Question
Jul 6th, 2007

Evertime I use the following statement :

nat (inside) 0 access-list inside_acl

I get the following warning

access-list protocol or port will not be used

and nothing works. if I substitute the nat 0 command with a one to one static command ie

static (inside,dmz) bla bla its works..

Can anyone explain why the Nat 0 will not use the access-list ...

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 07/06/2007 - 03:19

Hi

It's because your access-list has tcp/udp ports in it. So if you did

access-list inside_acl permit ip 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0

then it would be fine but if you do

access-list inside_acl permit tcp 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0 eq 23

then it will complain. it will use the access-list but not at the port level.

HTH

Jon

thestagman Fri, 07/06/2007 - 03:46

Hi Jon

I'm not sure I understand why placing a port number on the end of an access list would stop it from working .....

Kind Regards

Mike

Jon Marshall Fri, 07/06/2007 - 04:14

Hi Mike

I'll do a bit of reading. What i can tell you is that any nat statement tied to an access-list can used port numbers in the access-list

unless it is a nat 0 statement. This is a nat exemption and you can't use port numbers in this.

Jon

thestagman Fri, 07/06/2007 - 06:42

Hi Jon

I think you maybe right there is a Nat Exemption on Nat 0 access-lists.

That leaves me a problem I may have 600 devices coming thru the Pix originating from the inside going to a destination server on a dmz.

I don't really want to put 600 static one to one commands ie

static (inside, dmz) 10.10.10.1 10.10.10.1

any suggestions ...

Jon Marshall Fri, 07/06/2007 - 06:52

Hi Mike

Do you really need port numbers in your nat exemption list. That would be the easiest way.

Rememeber that this is purely for NAT so you use

access-list nonat permit ip host 10.10.10.0 255.255.255.0 host DMZHostname

nat (inside) 0 access-list nonat

If you then want to restrict access from inside you could use tcp/udp ports on the access-list on your inside interface.

Alternatively you can use networks in static statements eg.

static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

HTH

Jon

Actions

This Discussion