Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Error while issuing the command in ASA 5510

Hi,

the following error message i get with the working ASA & also tried on a newly bought ASA.

i tried issuing "ciscoasa(config)# nat (inside) 0 access-list cbaynonat", the command accepts then added "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" this command also accepts, but when i restart the ASA after this, i get an error message "ERROR: access-list has protocol or port" after getting this error message, i could not find the "nat (inside) 0 access-list cbaynonat" in the configuration, then i removed "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" & added the "ciscoasa(config)# nat (inside) 0 access-list cbaynonat" the command accepts, then command accepts, i found that only after issuing "access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" i get error message, it is not only with the port 21, any port if i add i get that error message. but when i tried issuing "access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0" then restarting the ASA there is no error message. the "nat (inside) 0 access-list cbaynonat" i could able to see in the configuration.

help me out what is the problem, i tried upgrading to 7.2 version also, i get the same error message.

for better understand, find the below.

--------------------------------------

Step:-1

-------

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ERROR: Access-list "cbaynonat" does not exist

ciscoasa(config)#

Step:-2

-------

ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.o eq ftp

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ERROR: access-list has protocol or port

ciscoasa(config)#show run nat

cbayasaapt(config)# sh run nat

nat (inside) 1 172.19.1.0 255.255.255.0

Step:-3

-------

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

ciscoasa(config)#reload

ERROR: access-list has protocol or port -------------------- this message appears at the time of reboot.

cbayasaapt(config)# sh run nat

access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

Step:-4

-------

ciscoasa(config)#no access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

ciscoasa(config)#nat (inside) 0 access-list cbaynonat

ciscoasa(config)#sh run nat

nat (inside) 0 access-list cbaynonat

Step:-5

-------

ciscoasa(config)#access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0

ciscoasa(config)#nat (inside) 0 access-list cbaynonat

ciscoasa(config)#show run nat

cbayasaapt(config)# sh run nat

nat (inside) 0 access-list cbaynonat

nat (inside) 1 172.19.1.0 255.255.255.0

ciscoasa(config)#reload

after reload

ciscoasa(config)show run nat

nat (inside) 0 access-list cbaynonat

access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0

3 REPLIES
Silver

Re: Error while issuing the command in ASA 5510

Hi,

I am not sure what you are trying to achieve, let me see if I can help you here.

Basically why the error kept coming is because you are doing an identity nat and calling an access-list, this kind of nat the access-list being called should not contain any port numbers it should be IP based only.

I guess you want to do a nonat when the source ip is from 172.19.0.0 to 172.16.0.0 so your configuration is fine after that.

-Hoogen

Do rate if this helps :)

Re: Error while issuing the command in ASA 5510

Hi,

thanks for ur reply, i du agree, but the same it accepts in Cisco PIX. any suggestions?

Re: Error while issuing the command in ASA 5510

Also, if 172.19.5.0(which is vpn client IP) wanted to access only specific port on my network(172.19.1.0), what should i do on my ASA?

126
Views
0
Helpful
3
Replies