Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACL NAT ICMP Confusion

Riddle me this.....

Given an ACL that has the following line in it:

access-list TEST-NONAT extended permit icmp host EDISRV host X.X.X.X

When I attempt the following I get this error message:

ASA(config)# nat (INSIDE) 0 access-list TEST-NONAT

ERROR: access-list has protocol or port

ASA(config)#

At which point I scratch my head and say "well of course the acl has a protocol and port"

If I remove the ACL line I posted above the nat statement is accepted just fine.

I do not understand why.

5 REPLIES
Hall of Fame Super Blue

Re: ACL NAT ICMP Confusion

Hi

You cannot use a port in an access-list that is there for NAT exemption.

You can use ports in access-lists for policy NAT.

HTH

Jon

New Member

Re: ACL NAT ICMP Confusion

yeah but icmp is a protocol not a port....

Gold

Re: ACL NAT ICMP Confusion

and the error says "protocol or port".

New Member

Re: ACL NAT ICMP Confusion

Come on srue that is not helpful at all.

Why does exempting ping something is it denied? I can understand the port but not icmp, can anyone explain that to me?

Gold

Re: ACL NAT ICMP Confusion

You probably need to ask Cisco about the reasoning behind this logic. maybe they saw no need to allow users to be able to use nat exemption based on ports/protocols

151
Views
0
Helpful
5
Replies
CreatePlease to create content