Jon Marshall Wed, 12/10/2008 - 14:03
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You can't use port numbers in a nat exemption access-list.


Jon

Amin Shaikh Wed, 12/10/2008 - 14:45
User Badges:

So If I want to do a NAT 0 to an acl NONAT what should I do


I already use to have the following on my ASA Firewall


global (outside) 2 interface

nat (inside) 0 access-list NONAT

nat (inside) 2 192.168.1.103 255.255.255.255

nat (inside) 2 192.168.10.0 255.255.255.0

nat (inside) 2 192.168.20.0 255.255.255.0

nat (inside) 2 192.168.30.0 255.255.255.0



ajagadee Wed, 12/10/2008 - 16:25
User Badges:
  • Cisco Employee,

Hi,


How is your NONAT ACL Configured. As per Jon's post, ports are not supported in NAT 0 ACL.


For example:


ciscoasa(config)# access-list NONAT permit tcp 192.68.10.0 255.255.255.0 any

ciscoasa(config)# nat (inside) 0 access-list NONAT

ERROR: access-list has protocol or port


So, you could configure your NONAT ACL using IP.


ciscoasa(config)# access-list NONAT permit ip 192.68.10.0 255.255.255.0 any

ciscoasa(config)# nat (inside) 0 access-list NONAT


Regards,

Arul


*Pls rate if it helps*



Amin Shaikh Thu, 12/11/2008 - 02:34
User Badges:

Hello,


My NAT is configured as


access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.5.0 255.255.255.0

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.10.0 255.255.255.0

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.20.0 255.255.255.0


But still I get the same Error


?



husycisco Thu, 12/11/2008 - 05:16
User Badges:
  • Gold, 750 points or more

Correct one is the following


access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list NONAT extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0


also make sure VPNCLNT is a name assigned to a subnet, not single host.


If still get the same error, simply create a new ACL as following


access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0


nat (inside) 0 access-list inside_nat0_outbound



Actions

This Discussion