cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
348
Views
0
Helpful
5
Replies

ACL NAT ICMP Confusion

whisperwind
Level 1
Level 1

Riddle me this.....

Given an ACL that has the following line in it:

access-list TEST-NONAT extended permit icmp host EDISRV host X.X.X.X

When I attempt the following I get this error message:

ASA(config)# nat (INSIDE) 0 access-list TEST-NONAT

ERROR: access-list has protocol or port

ASA(config)#

At which point I scratch my head and say "well of course the acl has a protocol and port"

If I remove the ACL line I posted above the nat statement is accepted just fine.

I do not understand why.

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Hi

You cannot use a port in an access-list that is there for NAT exemption.

You can use ports in access-lists for policy NAT.

HTH

Jon

yeah but icmp is a protocol not a port....

and the error says "protocol or port".

Come on srue that is not helpful at all.

Why does exempting ping something is it denied? I can understand the port but not icmp, can anyone explain that to me?

You probably need to ask Cisco about the reasoning behind this logic. maybe they saw no need to allow users to be able to use nat exemption based on ports/protocols

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: