access-list protocol or port will not be used

Unanswered Question
Jul 6th, 2007
User Badges:

Evertime I use the following statement :


nat (inside) 0 access-list inside_acl


I get the following warning


access-list protocol or port will not be used


and nothing works. if I substitute the nat 0 command with a one to one static command ie


static (inside,dmz) bla bla its works..


Can anyone explain why the Nat 0 will not use the access-list ...


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 07/06/2007 - 03:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


It's because your access-list has tcp/udp ports in it. So if you did


access-list inside_acl permit ip 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0


then it would be fine but if you do


access-list inside_acl permit tcp 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0 eq 23


then it will complain. it will use the access-list but not at the port level.


HTH


Jon

thestagman Fri, 07/06/2007 - 03:46
User Badges:

Hi Jon


I'm not sure I understand why placing a port number on the end of an access list would stop it from working .....


Kind Regards


Mike



Jon Marshall Fri, 07/06/2007 - 04:14
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mike


I'll do a bit of reading. What i can tell you is that any nat statement tied to an access-list can used port numbers in the access-list


unless it is a nat 0 statement. This is a nat exemption and you can't use port numbers in this.


Jon

thestagman Fri, 07/06/2007 - 06:42
User Badges:

Hi Jon


I think you maybe right there is a Nat Exemption on Nat 0 access-lists.


That leaves me a problem I may have 600 devices coming thru the Pix originating from the inside going to a destination server on a dmz.


I don't really want to put 600 static one to one commands ie


static (inside, dmz) 10.10.10.1 10.10.10.1


any suggestions ...

Jon Marshall Fri, 07/06/2007 - 06:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mike


Do you really need port numbers in your nat exemption list. That would be the easiest way.


Rememeber that this is purely for NAT so you use


access-list nonat permit ip host 10.10.10.0 255.255.255.0 host DMZHostname


nat (inside) 0 access-list nonat


If you then want to restrict access from inside you could use tcp/udp ports on the access-list on your inside interface.


Alternatively you can use networks in static statements eg.


static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0


HTH


Jon

Actions

This Discussion