12-10-2008 01:58 PM - edited 03-11-2019 07:24 AM
Hello,
I want to add nat (inside ) 0 access-list NONAT
but I get Error
"Access-list has protocol or port "
I have checked there is no entry with "nat (inside ) 0 access-list "
12-10-2008 02:03 PM
You can't use port numbers in a nat exemption access-list.
Jon
12-10-2008 02:45 PM
So If I want to do a NAT 0 to an acl NONAT what should I do
I already use to have the following on my ASA Firewall
global (outside) 2 interface
nat (inside) 0 access-list NONAT
nat (inside) 2 192.168.1.103 255.255.255.255
nat (inside) 2 192.168.10.0 255.255.255.0
nat (inside) 2 192.168.20.0 255.255.255.0
nat (inside) 2 192.168.30.0 255.255.255.0
12-10-2008 04:25 PM
Hi,
How is your NONAT ACL Configured. As per Jon's post, ports are not supported in NAT 0 ACL.
For example:
ciscoasa(config)# access-list NONAT permit tcp 192.68.10.0 255.255.255.0 any
ciscoasa(config)# nat (inside) 0 access-list NONAT
ERROR: access-list has protocol or port
So, you could configure your NONAT ACL using IP.
ciscoasa(config)# access-list NONAT permit ip 192.68.10.0 255.255.255.0 any
ciscoasa(config)# nat (inside) 0 access-list NONAT
Regards,
Arul
*Pls rate if it helps*
12-11-2008 02:34 AM
Hello,
My NAT is configured as
access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.5.0 255.255.255.0
access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.10.0 255.255.255.0
access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.20.0 255.255.255.0
But still I get the same Error
?
12-11-2008 05:16 AM
Correct one is the following
access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0
access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0
access-list NONAT extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0
also make sure VPNCLNT is a name assigned to a subnet, not single host.
If still get the same error, simply create a new ACL as following
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide