ACL NAT ICMP Confusion

Unanswered Question
Sep 21st, 2007

Riddle me this.....

Given an ACL that has the following line in it:

access-list TEST-NONAT extended permit icmp host EDISRV host X.X.X.X

When I attempt the following I get this error message:

ASA(config)# nat (INSIDE) 0 access-list TEST-NONAT

ERROR: access-list has protocol or port


At which point I scratch my head and say "well of course the acl has a protocol and port"

If I remove the ACL line I posted above the nat statement is accepted just fine.

I do not understand why.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Fri, 09/21/2007 - 10:33


You cannot use a port in an access-list that is there for NAT exemption.

You can use ports in access-lists for policy NAT.



whisperwind Fri, 09/21/2007 - 10:53

Come on srue that is not helpful at all.

Why does exempting ping something is it denied? I can understand the port but not icmp, can anyone explain that to me?

srue Fri, 09/21/2007 - 11:08

You probably need to ask Cisco about the reasoning behind this logic. maybe they saw no need to allow users to be able to use nat exemption based on ports/protocols


This Discussion