Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

access-list no-nat1 permit esp - and nat (dmz3) 0 -

Dear Friends,


I am having a peculiar problem here. I have a ASA 5520 with VPN plus license. whenever i give a command like

# nat (inside) 0 access-list no-nat

#nat (dmz3) 0 access-list no-nat1


and then

access-list no-nat1 permit esp 172.24.67.16 255.255.255.248 193.113.32.32 255.255.255.224


it says


ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

nat (dmz3) 0 access-list no-nat1

The same configuration was already running in my old pix 525 but is not in the ASA.

Pl help..

Regards,

Rajiv.

1 REPLY
New Member

Re: access-list no-nat1 permit esp - and nat (dmz3) 0 -

On the PIX prior to version 7 you could specify ports and protocols in no-nat ACLs though it showed a warning message.  You'll need to use this syntax:

access-list no-nat1 permit ip 172.24.67.16 255.255.255.248 193.113.32.32 255.255.255.224. 

You could always restrict non-esp traffic with an interface ACL if needed.

Please rate posts if you find them helpful. 

498
Views
0
Helpful
1
Replies