Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

access-list protocol or port will not be used

Evertime I use the following statement :

nat (inside) 0 access-list inside_acl

I get the following warning

access-list protocol or port will not be used

and nothing works. if I substitute the nat 0 command with a one to one static command ie

static (inside,dmz) bla bla its works..

Can anyone explain why the Nat 0 will not use the access-list ...

thanks

6 REPLIES
Hall of Fame Super Blue

Re: access-list protocol or port will not be used

Hi

It's because your access-list has tcp/udp ports in it. So if you did

access-list inside_acl permit ip 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0

then it would be fine but if you do

access-list inside_acl permit tcp 172.16.5.0 255.255.255.0 10.5.1.0 255.255.255.0 eq 23

then it will complain. it will use the access-list but not at the port level.

HTH

Jon

New Member

Re: access-list protocol or port will not be used

Hi Jon

I'm not sure I understand why placing a port number on the end of an access list would stop it from working .....

Kind Regards

Mike

Hall of Fame Super Blue

Re: access-list protocol or port will not be used

Hi Mike

I'll do a bit of reading. What i can tell you is that any nat statement tied to an access-list can used port numbers in the access-list

unless it is a nat 0 statement. This is a nat exemption and you can't use port numbers in this.

Jon

New Member

Re: access-list protocol or port will not be used

Hi Jon

Ok, I see what I can dig up as well ..

Mike

New Member

Re: access-list protocol or port will not be used

Hi Jon

I think you maybe right there is a Nat Exemption on Nat 0 access-lists.

That leaves me a problem I may have 600 devices coming thru the Pix originating from the inside going to a destination server on a dmz.

I don't really want to put 600 static one to one commands ie

static (inside, dmz) 10.10.10.1 10.10.10.1

any suggestions ...

Hall of Fame Super Blue

Re: access-list protocol or port will not be used

Hi Mike

Do you really need port numbers in your nat exemption list. That would be the easiest way.

Rememeber that this is purely for NAT so you use

access-list nonat permit ip host 10.10.10.0 255.255.255.0 host DMZHostname

nat (inside) 0 access-list nonat

If you then want to restrict access from inside you could use tcp/udp ports on the access-list on your inside interface.

Alternatively you can use networks in static statements eg.

static (inside,dmz) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

HTH

Jon

218
Views
0
Helpful
6
Replies