Amin Shaikh Wed, 12/10/2008 - 14:45

So If I want to do a NAT 0 to an acl NONAT what should I do


I already use to have the following on my ASA Firewall


global (outside) 2 interface

nat (inside) 0 access-list NONAT

nat (inside) 2 192.168.1.103 255.255.255.255

nat (inside) 2 192.168.10.0 255.255.255.0

nat (inside) 2 192.168.20.0 255.255.255.0

nat (inside) 2 192.168.30.0 255.255.255.0



ajagadee Wed, 12/10/2008 - 16:25

Hi,


How is your NONAT ACL Configured. As per Jon's post, ports are not supported in NAT 0 ACL.


For example:


ciscoasa(config)# access-list NONAT permit tcp 192.68.10.0 255.255.255.0 any

ciscoasa(config)# nat (inside) 0 access-list NONAT

ERROR: access-list has protocol or port


So, you could configure your NONAT ACL using IP.


ciscoasa(config)# access-list NONAT permit ip 192.68.10.0 255.255.255.0 any

ciscoasa(config)# nat (inside) 0 access-list NONAT


Regards,

Arul


*Pls rate if it helps*



Amin Shaikh Thu, 12/11/2008 - 02:34

Hello,


My NAT is configured as


access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.5.0 255.255.255.0

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.10.0 255.255.255.0

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.20.0 255.255.255.0


But still I get the same Error


?



husycisco Thu, 12/11/2008 - 05:16

Correct one is the following


access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list NONAT extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0


also make sure VPNCLNT is a name assigned to a subnet, not single host.


If still get the same error, simply create a new ACL as following


access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0


nat (inside) 0 access-list inside_nat0_outbound



Actions

This Discussion