About Nat 0 exempt

Unanswered Question
Jul 18th, 2007

Hello, i want to ask if i could use specific port to access list assigned in nat 0 exempt. Because i want remote lan could access only specific port in local lan. i use asa 7.1(2)


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 07/19/2007 - 04:48

Hi Charles

No you can't. You can use ports in access-lists for policy NAT but you cannot use a port number in an access-list used for NAT exemption.



ggilbert Thu, 07/19/2007 - 06:59

Just like Jon said, you cant use the access-list with ports for NAT exemption.


Charles_Chi4 Thu, 07/19/2007 - 18:10

Hi jon,

Thank you so much for your reply

Therefore i wanna ask how could i limit access from remote lan for specific port? i already activated the sysopt in asa. Or i just have an option that apply the acl in the device that directly connected to interface inside asa?

Jon Marshall Thu, 07/19/2007 - 18:52

Hi Charles

You will need to use an access-list that is applied to one of your interfaces, presumably the outside.

Not sure what you mean by sysopt in ASA. If you are talking about IPSEC you can either use a vpn tunnel filter or an outbound access-list on your inside interface.

Hope i've understood


Charles_Chi4 Thu, 07/19/2007 - 18:57

Hi Jon,

I use sysopt connection permit-vpn in asa that every vpn packet bypass all interface access list in asa.

Jon Marshall Thu, 07/19/2007 - 19:03


sysopt connection permit-vpn allows IPSEC traffic to bypass the acl. So if you terminate the VPN on the outside intreface of your ASA then the traffic will not be subject to the outside acl.

But once it is unencrypted by the ASA any other acl it goes through still applies. So if you applied an access-list in the outbound direction on your inside interface you could still restrict what traffic could go through. If you do this please remember there is an explicit deny at the end of every access-list.



Charles_Chi4 Thu, 07/19/2007 - 20:10

Hi Jon,

I'm clear enough now, thanks to you. But i 've already apply acl inbound inside and outside. So could i restrict remote access with specific port through interesting packet that defined in tunnel establishment? because i couldn't make it in acl inbound inside and nat_0 exempt.

Jon Marshall Thu, 07/19/2007 - 22:44


You can use ports in your crypto access-list if you want but there is a preformance overhead associated with this.

Could you just explain why you cannot just add an outbound acl on your inside interface ?


Charles_Chi4 Thu, 07/19/2007 - 23:14

Hi Jon,

I've already configured inbound acl on inside interface. And as i know, we couldn't assign more than one acl in 1 interface. The inbound acl is used to limit internet access and remote access through vpn tunnel. It's already in production.

If you said so, maybe i should have the acl in the core switch directly connected to this asa.

Jon Marshall Thu, 07/19/2007 - 23:27

Hi Charles

From the ASA 7.1 configuration guide


To apply an extended access list to the inbound or outbound direction of an interface, enter the following command:

hostname(config)# access-group access_list_name {in | out} interface interface_name


You can apply one access list of each type


(extended and EtherType) to both directions


of the interface. See the "Inbound and


Outbound Access List Overview" section for more information about access list directions.


So you can apply an acl both outbound and inbound on an interface.

As i say though if you are using this to restrict traffic to a certain host then allow the host traffic, deny any other traffic to the host and then end with a "permit ip any any" or else you could cut users off.




This Discussion