Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

Hi ,

ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

I get this error when i put the tcp ace entry in the no nat ACL, my ASA is 5580 8.2.3

and this removed the no nat entry from the firewall. any ideas what could be the issue.

Regards,

Guneet Singh Gulati

5 REPLIES
Cisco Employee

Re: ERROR: ACE contains port, protocol, or deny. Removing NAT co

You can't configure protocol or port specific ACE for NAT 0 (NAT exemption) ACL as it is not supported.

You can only configure "IP" as the protocol.

Here is the command reference for your information:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858

Hope that answers your question.

New Member

Re: ERROR: ACE contains port, protocol, or deny. Removing NAT co

This is what i know, but i remember i have done similar configurations before and it only used to give warnings not the error.

Is this something introduced in newer versions of ASA.

Regards,

Guneet Singh Gulati

Cisco Employee

Re: ERROR: ACE contains port, protocol, or deny. Removing NAT co

Sounds like it could potentially be a bug. It shouldn't removed the NAT statement but just give you an error message. You might want to open a TAC case to get it investigated further.

New Member

Re: ERROR: ACE contains port, protocol, or deny. Removing NAT co

Not a bug as i face the similar issues with V 7.2.4

Cisco Employee

Re: ERROR: ACE contains port, protocol, or deny. Removing NAT co

After the fix of defect "CSCsv32093: NAT_PAT: ASA should give error for mismatched policy nat ACL" the ASA will throw errors. It was fixed in 7.2.5 and 8.0.5.

I believe it makes sense now.

PK

1725
Views
0
Helpful
5
Replies
CreatePlease to create content