05-07-2007 10:04 AM
Hi,
the following error message i get with the working ASA & also tried on a newly bought ASA.
i tried issuing "ciscoasa(config)# nat (inside) 0 access-list cbaynonat", the command accepts then added "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" this command also accepts, but when i restart the ASA after this, i get an error message "ERROR: access-list has protocol or port" after getting this error message, i could not find the "nat (inside) 0 access-list cbaynonat" in the configuration, then i removed "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" & added the "ciscoasa(config)# nat (inside) 0 access-list cbaynonat" the command accepts, then command accepts, i found that only after issuing "access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" i get error message, it is not only with the port 21, any port if i add i get that error message. but when i tried issuing "access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0" then restarting the ASA there is no error message. the "nat (inside) 0 access-list cbaynonat" i could able to see in the configuration.
help me out what is the problem, i tried upgrading to 7.2 version also, i get the same error message.
for better understand, find the below.
--------------------------------------
Step:-1
-------
ciscoasa(config)# nat (inside) 0 access-list cbaynonat
ERROR: Access-list "cbaynonat" does not exist
ciscoasa(config)#
Step:-2
-------
ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.o eq ftp
ciscoasa(config)# nat (inside) 0 access-list cbaynonat
ERROR: access-list has protocol or port
ciscoasa(config)#show run nat
cbayasaapt(config)# sh run nat
nat (inside) 1 172.19.1.0 255.255.255.0
Step:-3
-------
ciscoasa(config)# nat (inside) 0 access-list cbaynonat
ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp
ciscoasa(config)#reload
ERROR: access-list has protocol or port -------------------- this message appears at the time of reboot.
cbayasaapt(config)# sh run nat
access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp
Step:-4
-------
ciscoasa(config)#no access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp
ciscoasa(config)#nat (inside) 0 access-list cbaynonat
ciscoasa(config)#sh run nat
nat (inside) 0 access-list cbaynonat
Step:-5
-------
ciscoasa(config)#access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0
ciscoasa(config)#nat (inside) 0 access-list cbaynonat
ciscoasa(config)#show run nat
cbayasaapt(config)# sh run nat
nat (inside) 0 access-list cbaynonat
nat (inside) 1 172.19.1.0 255.255.255.0
ciscoasa(config)#reload
after reload
ciscoasa(config)show run nat
nat (inside) 0 access-list cbaynonat
access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0
05-07-2007 10:32 AM
Hi,
I am not sure what you are trying to achieve, let me see if I can help you here.
Basically why the error kept coming is because you are doing an identity nat and calling an access-list, this kind of nat the access-list being called should not contain any port numbers it should be IP based only.
I guess you want to do a nonat when the source ip is from 172.19.0.0 to 172.16.0.0 so your configuration is fine after that.
-Hoogen
Do rate if this helps :)
05-07-2007 09:54 PM
Hi,
thanks for ur reply, i du agree, but the same it accepts in Cisco PIX. any suggestions?
05-07-2007 10:48 PM
Also, if 172.19.5.0(which is vpn client IP) wanted to access only specific port on my network(172.19.1.0), what should i do on my ASA?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: