cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
366
Views
0
Helpful
3
Replies

Error while issuing the command in ASA 5510

Anand Narayana
Level 6
Level 6

Hi,

the following error message i get with the working ASA & also tried on a newly bought ASA.

i tried issuing "ciscoasa(config)# nat (inside) 0 access-list cbaynonat", the command accepts then added "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" this command also accepts, but when i restart the ASA after this, i get an error message "ERROR: access-list has protocol or port" after getting this error message, i could not find the "nat (inside) 0 access-list cbaynonat" in the configuration, then i removed "access-list cbaynonat extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" & added the "ciscoasa(config)# nat (inside) 0 access-list cbaynonat" the command accepts, then command accepts, i found that only after issuing "access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.128 eq ftp" i get error message, it is not only with the port 21, any port if i add i get that error message. but when i tried issuing "access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0" then restarting the ASA there is no error message. the "nat (inside) 0 access-list cbaynonat" i could able to see in the configuration.

help me out what is the problem, i tried upgrading to 7.2 version also, i get the same error message.

for better understand, find the below.

--------------------------------------

Step:-1

-------

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ERROR: Access-list "cbaynonat" does not exist

ciscoasa(config)#

Step:-2

-------

ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.o eq ftp

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ERROR: access-list has protocol or port

ciscoasa(config)#show run nat

cbayasaapt(config)# sh run nat

nat (inside) 1 172.19.1.0 255.255.255.0

Step:-3

-------

ciscoasa(config)# nat (inside) 0 access-list cbaynonat

ciscoasa(config)#access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

ciscoasa(config)#reload

ERROR: access-list has protocol or port -------------------- this message appears at the time of reboot.

cbayasaapt(config)# sh run nat

access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

Step:-4

-------

ciscoasa(config)#no access-list 172.19.1.2 extended permit tcp host 172.19.1.2 172.19.5.0 255.255.255.0 eq ftp

ciscoasa(config)#nat (inside) 0 access-list cbaynonat

ciscoasa(config)#sh run nat

nat (inside) 0 access-list cbaynonat

Step:-5

-------

ciscoasa(config)#access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0

ciscoasa(config)#nat (inside) 0 access-list cbaynonat

ciscoasa(config)#show run nat

cbayasaapt(config)# sh run nat

nat (inside) 0 access-list cbaynonat

nat (inside) 1 172.19.1.0 255.255.255.0

ciscoasa(config)#reload

after reload

ciscoasa(config)show run nat

nat (inside) 0 access-list cbaynonat

access-list cbaynonat extended permit ip 172.19.0.0 255.255.0.0 172.16.0.0 255.255.255.0

3 Replies 3

hoogen_82
Level 4
Level 4

Hi,

I am not sure what you are trying to achieve, let me see if I can help you here.

Basically why the error kept coming is because you are doing an identity nat and calling an access-list, this kind of nat the access-list being called should not contain any port numbers it should be IP based only.

I guess you want to do a nonat when the source ip is from 172.19.0.0 to 172.16.0.0 so your configuration is fine after that.

-Hoogen

Do rate if this helps :)

Hi,

thanks for ur reply, i du agree, but the same it accepts in Cisco PIX. any suggestions?

Also, if 172.19.5.0(which is vpn client IP) wanted to access only specific port on my network(172.19.1.0), what should i do on my ASA?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: