05-07-2007 10:24 AM - edited 03-05-2019 03:55 PM
Hi,
the following error message i get with the working ASA & also tried on a newly bought ASA.
i tried issuing "ciscoasa(config)# nat (inside) 0 access-list cbaynonat", the command accepts then added "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" this command also accepts, but when i restart the ASA after this, i get an error message "ERROR: access-list has protocol or port" after getting this error message, i could not find the "nat (inside) 0 access-list cbaynonat" in the configuration, then i removed "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" & added the "ciscoasa(config)# nat (inside) 0 access-list cbaynonat" the command accepts, then command accepts, i found that only after issuing "access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" i get error message, it is not only with the port 21, any port if i add i get that error message. but when i tried issuing "access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0" then restarting the ASA there is no error message. the "nat (inside) 0 access-list cbaynonat" i could able to see in the configuration.
help me out what is the problem, i tried upgrading to 7.2 version also, i get the same error message.
for better understand, find the below.
--------------------------------------
Step:-1
-------
ciscoasa(config)# nat (inside) 0 access-list cbaynonat
ERROR: Access-list "cbaynonat" does not exist
ciscoasa(config)#
Step:-2
-------
ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.o eq ftp
ciscoasa(config)# nat (inside) 0 access-list cbaynonat
ERROR: access-list has protocol or port
ciscoasa(config)#show run nat
cbayasaapt(config)# sh run nat
nat (inside) 1 172.19.1.0 255.255.255.0
Step:-3
-------
ciscoasa(config)# nat (inside) 0 access-list cbaynonat
ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp
ciscoasa(config)#reload
ERROR: access-list has protocol or port -------------------- this message appears at the time of reboot.
cbayasaapt(config)# sh run nat
access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp
Step:-4
-------
ciscoasa(config)#no access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp
ciscoasa(config)#nat (inside) 0 access-list cbaynonat
ciscoasa(config)#sh run nat
nat (inside) 0 access-list cbaynonat
Step:-5
-------
ciscoasa(config)#access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list cbaynonat
ciscoasa(config)#show run nat
cbayasaapt(config)# sh run nat
nat (inside) 0 access-list cbaynonat
nat (inside) 1 172.19.1.0 255.255.255.0
ciscoasa(config)#reload
after reload
ciscoasa(config)show run nat
nat (inside) 0 access-list cbaynonat
access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0
05-12-2007 04:42 AM
Step 5 is the correct way.
You first must configure the ACL which you will define in the NAT Exemption (nat (inside) 0 access-list cbaynonat). Keep in mind that only the ip protocol is allowed in the ACL. NAT Exemption is evaluated based on source and destination addresses, not on IP protocols or port numbers.
The "nat (inside) 1 172.19.1.0 255.255.255.0" need a Global syntax as they are mutually inclusive.
Example:
nat (inside) 1 172.19.1.0 255.255.255.0
global (outside) 1 10.10.10.10
This causes the inside hosts to be translated to the address defined in global ID 1, 10.10.10.10. This is also known as PAT as you are only using 1 outside address. If you had multiple outside addresses, for example 5; then you could do Dynamic NAT:
global (outside) 1 10.10.10.1-10.10.10.9 netmask 255.255.255.0 this would only allow the first 9 outbound connections to be translated and any other outbound attempts would be dropped. To solve this, you can come right behind the above Dynamic NAT statement and add the PAT statement, global (outside) 1 10.10.10.10. With this configuration, the first 9 outbound connections will use the Dynamic NAT pool 10.10.10.1-10.10.10.9 and the following connections will PAT to the 10.10.10.10 address.
I hope this answered your problem, and then some.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide