So If I want to do a NAT 0 to an acl NONAT what should I do

I already use to have the following on my ASA Firewall

global (outside) 2 interface

nat (inside) 0 access-list NONAT

nat (inside) 2 192.168.1.103 255.255.255.255

nat (inside) 2 192.168.10.0 255.255.255.0

nat (inside) 2 192.168.20.0 255.255.255.0

nat (inside) 2 192.168.30.0 255.255.255.0

Hi,

How is your NONAT ACL Configured. As per Jon's post, ports are not supported in NAT 0 ACL.

For example:

ciscoasa(config)# access-list NONAT permit tcp 192.68.10.0 255.255.255.0 any

ciscoasa(config)# nat (inside) 0 access-list NONAT

ERROR: access-list has protocol or port

So, you could configure your NONAT ACL using IP.

ciscoasa(config)# access-list NONAT permit ip 192.68.10.0 255.255.255.0 any

ciscoasa(config)# nat (inside) 0 access-list NONAT

Regards,

Arul

*Pls rate if it helps*

Hello,

My NAT is configured as

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.5.0 255.255.255.0

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.10.0 255.255.255.0

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.20.0 255.255.255.0

But still I get the same Error

?

Correct one is the following

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list NONAT extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0

also make sure VPNCLNT is a name assigned to a subnet, not single host.

If still get the same error, simply create a new ACL as following

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound