cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
594
Views
0
Helpful
1
Replies

access-list no-nat1 permit esp - and nat (dmz3) 0 -

Dear Friends,


I am having a peculiar problem here. I have a ASA 5520 with VPN plus license. whenever i give a command like

# nat (inside) 0 access-list no-nat

#nat (dmz3) 0 access-list no-nat1


and then

access-list no-nat1 permit esp 172.24.67.16 255.255.255.248 193.113.32.32 255.255.255.224


it says


ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

nat (dmz3) 0 access-list no-nat1

The same configuration was already running in my old pix 525 but is not in the ASA.

Pl help..

Regards,

Rajiv.

1 Reply 1

terrygwazdosky
Level 1
Level 1

On the PIX prior to version 7 you could specify ports and protocols in no-nat ACLs though it showed a warning message.  You'll need to use this syntax:

access-list no-nat1 permit ip 172.24.67.16 255.255.255.248 193.113.32.32 255.255.255.224. 

You could always restrict non-esp traffic with an interface ACL if needed.

Please rate posts if you find them helpful. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: