Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

NAT Error

Hello,

I want to add nat (inside ) 0 access-list NONAT

but I get Error

"Access-list has protocol or port "

I have checked there is no entry with "nat (inside ) 0 access-list "

5 REPLIES
Hall of Fame Super Blue

Re: NAT Error

You can't use port numbers in a nat exemption access-list.

Jon

Community Member

Re: NAT Error

So If I want to do a NAT 0 to an acl NONAT what should I do

I already use to have the following on my ASA Firewall

global (outside) 2 interface

nat (inside) 0 access-list NONAT

nat (inside) 2 192.168.1.103 255.255.255.255

nat (inside) 2 192.168.10.0 255.255.255.0

nat (inside) 2 192.168.20.0 255.255.255.0

nat (inside) 2 192.168.30.0 255.255.255.0

Cisco Employee

Re: NAT Error

Hi,

How is your NONAT ACL Configured. As per Jon's post, ports are not supported in NAT 0 ACL.

For example:

ciscoasa(config)# access-list NONAT permit tcp 192.68.10.0 255.255.255.0 any

ciscoasa(config)# nat (inside) 0 access-list NONAT

ERROR: access-list has protocol or port

So, you could configure your NONAT ACL using IP.

ciscoasa(config)# access-list NONAT permit ip 192.68.10.0 255.255.255.0 any

ciscoasa(config)# nat (inside) 0 access-list NONAT

Regards,

Arul

*Pls rate if it helps*

Community Member

Re: NAT Error

Hello,

My NAT is configured as

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.5.0 255.255.255.0

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.10.0 255.255.255.0

access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.20.0 255.255.255.0

But still I get the same Error

?

Re: NAT Error

Correct one is the following

access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list NONAT extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0

also make sure VPNCLNT is a name assigned to a subnet, not single host.

If still get the same error, simply create a new ACL as following

access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

194
Views
0
Helpful
5
Replies
CreatePlease to create content