https://community.cisco.com/t5/network-security/nat-error/m-p/1124990#M892467 <P>Hello,</P><P></P><P>I want to add nat (inside ) 0 access-list NONAT</P><P></P><P>but I get Error</P><P>"Access-list has protocol or port "</P><P></P><P>I have checked there is no entry with "nat (inside ) 0 access-list "</P><P></P><P></P> Mon, 11 Mar 2019 14:24:25 GMT Amin Shaikh 2019-03-11T14:24:25Z https://community.cisco.com/t5/network-security/nat-error/m-p/1124990#M892467 <P>Hello,</P><P></P><P>I want to add nat (inside ) 0 access-list NONAT</P><P></P><P>but I get Error</P><P>"Access-list has protocol or port "</P><P></P><P>I have checked there is no entry with "nat (inside ) 0 access-list "</P><P></P><P></P> Mon, 11 Mar 2019 14:24:25 GMT https://community.cisco.com/t5/network-security/nat-error/m-p/1124990#M892467 Amin Shaikh 2019-03-11T14:24:25Z https://community.cisco.com/t5/network-security/nat-error/m-p/1124991#M892468 <HTML><HEAD></HEAD><BODY><P>You can't use port numbers in a nat exemption access-list.</P><P></P><P>Jon</P></BODY></HTML> Wed, 10 Dec 2008 22:03:00 GMT https://community.cisco.com/t5/network-security/nat-error/m-p/1124991#M892468 Jon Marshall 2008-12-10T22:03:00Z https://community.cisco.com/t5/network-security/nat-error/m-p/1124992#M892469 <HTML><HEAD></HEAD><BODY><P>So If I want to do a NAT 0 to an acl NONAT what should I do</P><P></P><P>I already use to have the following on my ASA Firewall</P><P></P><P>global (outside) 2 interface</P><P>nat (inside) 0 access-list NONAT</P><P>nat (inside) 2 192.168.1.103 255.255.255.255</P><P>nat (inside) 2 192.168.10.0 255.255.255.0</P><P>nat (inside) 2 192.168.20.0 255.255.255.0</P><P>nat (inside) 2 192.168.30.0 255.255.255.0</P><P></P><P></P></BODY></HTML> Wed, 10 Dec 2008 22:45:08 GMT https://community.cisco.com/t5/network-security/nat-error/m-p/1124992#M892469 Amin Shaikh 2008-12-10T22:45:08Z https://community.cisco.com/t5/network-security/nat-error/m-p/1124993#M892470 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>How is your NONAT ACL Configured. As per Jon's post, ports are not supported in NAT 0 ACL. </P><P></P><P>For example:</P><P></P><P>ciscoasa(config)# access-list NONAT permit tcp 192.68.10.0 255.255.255.0 any</P><P>ciscoasa(config)# nat (inside) 0 access-list NONAT</P><P>ERROR: access-list has protocol or port</P><P></P><P>So, you could configure your NONAT ACL using IP.</P><P></P><P>ciscoasa(config)# access-list NONAT permit ip 192.68.10.0 255.255.255.0 any</P><P>ciscoasa(config)# nat (inside) 0 access-list NONAT</P><P></P><P>Regards,</P><P>Arul</P><P></P><P>*Pls rate if it helps*</P><P></P><P></P></BODY></HTML> Thu, 11 Dec 2008 00:25:31 GMT https://community.cisco.com/t5/network-security/nat-error/m-p/1124993#M892470 ajagadee 2008-12-11T00:25:31Z https://community.cisco.com/t5/network-security/nat-error/m-p/1124994#M892471 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>My NAT is configured as </P><P></P><P>access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.5.0 255.255.255.0 </P><P>access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.10.0 255.255.255.0 </P><P>access-list NONAT extended permit ip VPNCLNT 255.255.255.0 192.168.20.0 255.255.255.0 </P><P></P><P>But still I get the same Error</P><P></P><P>?</P><P></P><P></P></BODY></HTML> Thu, 11 Dec 2008 10:34:17 GMT https://community.cisco.com/t5/network-security/nat-error/m-p/1124994#M892471 Amin Shaikh 2008-12-11T10:34:17Z https://community.cisco.com/t5/network-security/nat-error/m-p/1124995#M892472 <HTML><HEAD></HEAD><BODY><P>Correct one is the following</P><P></P><P>access-list NONAT extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0</P><P>access-list NONAT extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0 </P><P>access-list NONAT extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0</P><P></P><P>also make sure VPNCLNT is a name assigned to a subnet, not single host.</P><P></P><P>If still get the same error, simply create a new ACL as following</P><P></P><P>access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 VPNCLNT 255.255.255.0</P><P>access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPNCLNT 255.255.255.0 </P><P>access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 VPNCLNT 255.255.255.0</P><P></P><P>nat (inside) 0 access-list inside_nat0_outbound</P><P></P><P></P></BODY></HTML> Thu, 11 Dec 2008 13:16:48 GMT https://community.cisco.com/t5/network-security/nat-error/m-p/1124995#M892472 Alan Huseyin Kayahan 2008-12-11T13:16:48Z