cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
0
Helpful
6
Replies

access-list protocol or port will not be used

thestagman
Level 1
Level 1

Evertime I use the following statement :

nat (inside) 0 access-list inside_acl

I get the following warning

access-list protocol or port will not be used

and nothing works. if I substitute the nat 0 command with a one to one static command ie

static (inside,dmz) bla bla its works..

Can anyone explain why the Nat 0 will not use the access-list ...

thanks

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Hi

It's because your access-list has tcp/udp ports in it. So if you did

access-list inside_acl permit ip 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0

then it would be fine but if you do

access-list inside_acl permit tcp 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0 eq 23

then it will complain. it will use the access-list but not at the port level.

HTH

Jon

Hi Jon

I'm not sure I understand why placing a port number on the end of an access list would stop it from working .....

Kind Regards

Mike

Hi Mike

I'll do a bit of reading. What i can tell you is that any nat statement tied to an access-list can used port numbers in the access-list

unless it is a nat 0 statement. This is a nat exemption and you can't use port numbers in this.

Jon

Hi Jon

Ok, I see what I can dig up as well ..

Mike

Hi Jon

I think you maybe right there is a Nat Exemption on Nat 0 access-lists.

That leaves me a problem I may have 600 devices coming thru the Pix originating from the inside going to a destination server on a dmz.

I don't really want to put 600 static one to one commands ie

static (inside, dmz) 10.10.10.1 10.10.10.1

any suggestions ...

Hi Mike

Do you really need port numbers in your nat exemption list. That would be the easiest way.

Rememeber that this is purely for NAT so you use

access-list nonat permit ip host 10.10.10.0 255.255.255.0 host DMZHostname

nat (inside) 0 access-list nonat

If you then want to restrict access from inside you could use tcp/udp ports on the access-list on your inside interface.

Alternatively you can use networks in static statements eg.

static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: