Error while issuing the command in ASA 5510

Anand Narayana · ‎05-07-2007

Hi,

the following error message i get with the working ASA & also tried on a newly bought ASA.

i tried issuing "ciscoasa(config)# nat (inside) 0 access-list cbaynonat", the command accepts then added "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" this command also accepts, but when i restart the ASA after this, i get an error message "ERROR: access-list has protocol or port" after getting this error message, i could not find the "nat (inside) 0 access-list cbaynonat" in the configuration, then i removed "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" & added the "ciscoasa(config)# nat (inside) 0 access-list cbaynonat" the command accepts, then command accepts, i found that only after issuing "access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" i get error message, it is not only with the port 21, any port if i add i get that error message. but when i tried issuing "access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0" then restarting the ASA there is no error message. the "nat (inside) 0 access-list cbaynonat" i could able to see in the configuration.

help me out what is the problem, i tried upgrading to 7.2 version also, i get the same error message.

for better understand, find the below.

--------------------------------------

Step:-1

-------

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ERROR: Access-list "cbaynonat" does not exist

ciscoasa(config)#

Step:-2

-------

ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.o eq ftp

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ERROR: access-list has protocol or port

ciscoasa(config)#show run nat

cbayasaapt(config)# sh run nat

nat (inside) 1 172.19.1.0 255.255.255.0

Step:-3

-------

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

ciscoasa(config)#reload

ERROR: access-list has protocol or port -------------------- this message appears at the time of reboot.

cbayasaapt(config)# sh run nat

access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

Step:-4

-------

ciscoasa(config)#no access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

ciscoasa(config)#nat (inside) 0 access-list cbaynonat

ciscoasa(config)#sh run nat

nat (inside) 0 access-list cbaynonat

Step:-5

-------

ciscoasa(config)#access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0

ciscoasa(config)#nat (inside) 0 access-list cbaynonat

ciscoasa(config)#show run nat

cbayasaapt(config)# sh run nat

nat (inside) 0 access-list cbaynonat

nat (inside) 1 172.19.1.0 255.255.255.0

ciscoasa(config)#reload

after reload

ciscoasa(config)show run nat

nat (inside) 0 access-list cbaynonat

access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0

joshua.walton · ‎05-12-2007

Step 5 is the correct way.

You first must configure the ACL which you will define in the NAT Exemption (nat (inside) 0 access-list cbaynonat). Keep in mind that only the ip protocol is allowed in the ACL. NAT Exemption is evaluated based on source and destination addresses, not on IP protocols or port numbers.

The "nat (inside) 1 172.19.1.0 255.255.255.0" need a Global syntax as they are mutually inclusive.

Example:

nat (inside) 1 172.19.1.0 255.255.255.0

global (outside) 1 10.10.10.10

This causes the inside hosts to be translated to the address defined in global ID 1, 10.10.10.10. This is also known as PAT as you are only using 1 outside address. If you had multiple outside addresses, for example 5; then you could do Dynamic NAT:

global (outside) 1 10.10.10.1-10.10.10.9 netmask 255.255.255.0 this would only allow the first 9 outbound connections to be translated and any other outbound attempts would be dropped. To solve this, you can come right behind the above Dynamic NAT statement and add the PAT statement, global (outside) 1 10.10.10.10. With this configuration, the first 9 outbound connections will use the Dynamic NAT pool 10.10.10.1-10.10.10.9 and the following connections will PAT to the 10.10.10.10 address.

I hope this answered your problem, and then some.

Cheers