07-06-2007 02:29 AM - edited 03-11-2019 03:41 AM
Evertime I use the following statement :
nat (inside) 0 access-list inside_acl
I get the following warning
access-list protocol or port will not be used
and nothing works. if I substitute the nat 0 command with a one to one static command ie
static (inside,dmz) bla bla its works..
Can anyone explain why the Nat 0 will not use the access-list ...
thanks
07-06-2007 03:19 AM
Hi
It's because your access-list has tcp/udp ports in it. So if you did
access-list inside_acl permit ip 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0
then it would be fine but if you do
access-list inside_acl permit tcp 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0 eq 23
then it will complain. it will use the access-list but not at the port level.
HTH
Jon
07-06-2007 03:46 AM
Hi Jon
I'm not sure I understand why placing a port number on the end of an access list would stop it from working .....
Kind Regards
Mike
07-06-2007 04:14 AM
Hi Mike
I'll do a bit of reading. What i can tell you is that any nat statement tied to an access-list can used port numbers in the access-list
unless it is a nat 0 statement. This is a nat exemption and you can't use port numbers in this.
Jon
07-06-2007 05:13 AM
Hi Jon
Ok, I see what I can dig up as well ..
Mike
07-06-2007 06:42 AM
Hi Jon
I think you maybe right there is a Nat Exemption on Nat 0 access-lists.
That leaves me a problem I may have 600 devices coming thru the Pix originating from the inside going to a destination server on a dmz.
I don't really want to put 600 static one to one commands ie
static (inside, dmz) 10.10.10.1 10.10.10.1
any suggestions ...
07-06-2007 06:52 AM
Hi Mike
Do you really need port numbers in your nat exemption list. That would be the easiest way.
Rememeber that this is purely for NAT so you use
access-list nonat permit ip host 10.10.10.0 255.255.255.0 host DMZHostname
nat (inside) 0 access-list nonat
If you then want to restrict access from inside you could use tcp/udp ports on the access-list on your inside interface.
Alternatively you can use networks in static statements eg.
static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
HTH
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: