Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
3
Replies

Warning when use Net 0 with access-list

samir_s
Level 1
Level 1

‎02-27-2004 01:33 PM - edited ‎02-20-2020 09:24 PM

I have PIX 515E with 4 ports. need inside users access both DMZ's, and any DMZ can access each other and also check there e-mail on inside. all need access to internet.

When using nat 0 joind with access-list, pix display "warning: access-list protocol or port will not used". can any one help

Attached my configuration:

Labels:
Preview file
3 KB
0 Helpful
3 Replies 3

d-g-c
Level 1
Level 1

‎02-28-2004 01:50 AM

I could not download your configuration to see how you are using nat 0 access-list, I will assume it's being used for NAT exemption. If your access-list is defining specific UDP/TCP ports then the warning will be displayed as the NAT exemption access list requires source and destination IP address only.

You cannot use a NAT id value of 0 with Policy nat.

I recommend reading the NAT command reference at <http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#1032129>

paj

0 Helpful

samir_s
Level 1
Level 1
In response to d-g-c

‎02-29-2004 12:36 AM

access-list no-nat permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list no-nat permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

Hi paj,

This my access-list joind with nat 0, there is no port used or deny

if u need all configuration I will try to copy and past:-

PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz-web security35

nameif ethernet3 dmz-rmt security75

access-list acl_1 permit tcp any host 1.1.1.1eq www

access-list acl_1 permit tcp any host 1.1.1.1eq https

access-list acl_1 permit tcp any host 1.1.1.1eq 8080

access-list acl_1 permit udp any host 1.1.1.1eq 8080

access-list acl_1 permit tcp any host 2.2.2.2eq smtp

access-list acl_1 permit tcp any host 2.2.2.2eq www

access-list acl_1 permit tcp any host 2.2.2.2eq https

access-list acl_1 permit tcp any host 2.2.2.2eq pop3

access-list acl_1 permit udp any host 2.2.2.2eq 143

access-list acl_1 permit tcp any host 2.2.2.2eq imap4

access-list acl_1 permit tcp 192.168.17.0 255.255.255.0 host 10.10.10.20 eq smtp

access-list acl_1 permit tcp 192.168.17.0 255.255.255.0 host 10.10.10.20 eq www

access-list acl_1 permit tcp 192.168.17.0 255.255.255.0 host 10.10.10.20 eq https

access-list acl_1 permit tcp 192.168.17.0 255.255.255.0 host 10.10.10.20 eq pop3

access-list acl_1 permit tcp 192.168.17.0 255.255.255.0 host 10.10.10.20 eq imap4

access-list acl_1 permit ip 192.168.17.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list acl_1 permit tcp any host 2.2.2.2eq 8888

access-list acl_1 permit tcp any host 2.2.2.2eq 8890

access-list no-nat permit ip 10.10.10.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list no-nat permit ip 20.20.20.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list xxx permit ip any 20.20.20.0 255.255.255.0

access-list xxx permit ip 192.121.0.0 255.255.255.0 20.20.20.0 255.255.255.0

access-list xxx permit ip any 10.10.10.0 255.255.255.0

interface ethernet0 100basetx

interface ethernet1 100basetx

interface ethernet2 100basetx

interface ethernet3 100basetx

ip address outside 100.100.100.2 255.0.0.0

ip address inside 10.10.10.121 255.255.255.0

ip address dmz-web 20.20.20.1 255.255.255.0

ip address dmz-rmt 192.121.0.1 255.255.255.0

global (outside) 1 3.3.3.3

nat (inside) 0 access-list no-nat (Warning: access-list protocol or port will not used)

nat (inside) 1 10.10.10.0 255.255.255.0 0 0

nat (dmz-web) 1 20.20.20.0 255.255.255.0 0 0

nat (dmz-rmt) 0 access-list xxx (Warning: access-list protocol or port will not used)

static (inside,outside) 2.2.2.210.10.10.20 netmask 255.255.255.255 0 0

static (dmz-web,outside) 1.1.1.120.20.20.10 netmask 255.255.255.255 0 0

static (inside,dmz-web) 20.20.20.0 10.10.10.0 netmask 255.255.255.0 0 0

static (inside,dmz-rmt) 192.121.0.20 10.10.10.20 netmask 255.255.255.255 0 0

static (dmz-rmt,dmz-web) 20.20.20.0 192.121.0.0 netmask 255.255.255.0 0 0

access-group acl_1 in interface outside

route outside 0.0.0.0 0.0.0.0 100.100.100.1 1

route dmz-rmt 192.168.17.0 255.255.255.0 192.121.0.2 1

0 Helpful

alan
Level 1
Level 1

‎03-02-2004 07:07 AM

Looks like conflict between the nonat statement and the static statement (you can either have a static nat (20.x.x.x in the DMZ NAT to 10.x.x.x INSIDE) OR no-nat (pass through without NAT), not both

0 Helpful
Customers Also Viewed These Support Documents