access-list no-nat1 permit esp - and nat (dmz3) 0 -

Unanswered Question
Jul 3rd, 2010

Dear Friends,


I am having a peculiar problem here. I have a ASA 5520 with VPN plus license. whenever i give a command like

# nat (inside) 0 access-list no-nat

#nat (dmz3) 0 access-list no-nat1


and then

access-list no-nat1 permit esp 172.24.67.16 255.255.255.248 193.113.32.32 255.255.255.224


it says


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

nat (dmz3) 0 access-list no-nat1

The same configuration was already running in my old pix 525 but is not in the ASA.

Pl help..

Regards,

Rajiv.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
terrygwazdosky Sat, 07/03/2010 - 08:22

On the PIX prior to version 7 you could specify ports and protocols in no-nat ACLs though it showed a warning message.  You'll need to use this syntax:

access-list no-nat1 permit ip 172.24.67.16 255.255.255.248 193.113.32.32 255.255.255.224. 

You could always restrict non-esp traffic with an interface ACL if needed.

Please rate posts if you find them helpful. 

Actions

This Discussion