cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
708
Views
0
Helpful
8
Replies

Does adding tcp udp ports on the nat exempt accesslist which is binded to nat 0 statement remove the entire nat 0 statement itself?

Hi Experts,

Is the above statement true?. I learnt later that adding tcp and udp ports on the nat 0 statements are supported . But does it take away the entire nat statement? Please answer my question at the earliest.

Regards

Krishna

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

No, it doesn't support TCP/UDP ports in NAT 0 access-list.

Here is the command reference for your information:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/no.html#wp1756533

(Pls kindly check under "Bypassing NAT" section on the second bullet point: NAT exemption).

Hope that answers your question.

hi,

thanks for reply, but it did remove the nat0. because once i finished configuring it andsaved the config nat0 was removed it affected other tunnels also,hence i need clarification does it remove entire nat0 statement. i was blamed for outage it caused hence  i need answer for this question

.

regards,

krishna

Yes, unfortunately it does remove the NAT statement, and it also provides you with an error message when you configure it.

Here is an example of the error message:

ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

nat (inside) 0 access-list nonat

Ohh, But that shouldnt be the ideal way, it should throw up an error ,it should not accept the access-list at all if it is wrong and  it should not remove the existing configuration. In my case it accepted dint throw up error. If it does remove entire config ,could  this be a bug in IOS ? IOS version used is 8.2 (4) 1

Regards

Krishna

Krishna,

"NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does enable you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list. NAT exemption also does not support connection settings, such as maximum TCP connections."

Reference

So, since the documentation clearly says that this rule does not consider any ports in the ACL, then one should not be testing unsupported configurations.

If one adds an ACL with specific ports, then unexpected results may be expected.

My suggestion, dont add any ACL entry with specific ports to your NAT exempt statement.

Thanks.

Portu.

Please rate any helpful posts

Hi,

I accept that we should not be testing the features that are not supported, but if the feature is not supported why it does not throw up error in a better way so that it should be understood to the lay man?. Also the config should not be accepted at all . I am not challenging Cisco here, but no where in the document they mention adding ports might remove the entire configuration (nat0) statement. Just seeking clarity on the issue so that it should not happen to others.

Thanks for the reply,

Krishna

Hello Krishna,

I agree with you but as cisco documents on it's commands reference the setup is not supported so it will remove the entire NAT 0 setup. Bottom line: It will remove it and yes it will show you an error as Portu said:

"ERROR: ACE contains port, protocol, or deny. Removing NAT configuration"

So all you will need to do after that message is take out the ACL with the tcp/udp ports and then apply back the NAT 0 rule.

Hope this helps,

Remember to rate all of the helpful posts.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Please check this out:

NAT exemption access-list not checked for protocol or port when applied

Workaround:

Don't configure invalid access-lists to nat exemption access-lists. stick to ip permit or deny ace entries.

HTH.

Portu.

If you do not have any further questions please mark this question as answered and rate any helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: