09-21-2007 10:24 AM - edited 03-11-2019 04:15 AM
Riddle me this.....
Given an ACL that has the following line in it:
access-list TEST-NONAT extended permit icmp host EDISRV host X.X.X.X
When I attempt the following I get this error message:
ASA(config)# nat (INSIDE) 0 access-list TEST-NONAT
ERROR: access-list has protocol or port
ASA(config)#
At which point I scratch my head and say "well of course the acl has a protocol and port"
If I remove the ACL line I posted above the nat statement is accepted just fine.
I do not understand why.
09-21-2007 10:33 AM
Hi
You cannot use a port in an access-list that is there for NAT exemption.
You can use ports in access-lists for policy NAT.
HTH
Jon
09-21-2007 10:42 AM
yeah but icmp is a protocol not a port....
09-21-2007 10:47 AM
and the error says "protocol or port".
09-21-2007 10:53 AM
Come on srue that is not helpful at all.
Why does exempting ping something is it denied? I can understand the port but not icmp, can anyone explain that to me?
09-21-2007 11:08 AM
You probably need to ask Cisco about the reasoning behind this logic. maybe they saw no need to allow users to be able to use nat exemption based on ports/protocols
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: