https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907631#M974643 <HTML><HEAD></HEAD><BODY><P>You probably need to ask Cisco about the reasoning behind this logic. maybe they saw no need to allow users to be able to use nat exemption based on ports/protocols</P></BODY></HTML> Fri, 21 Sep 2007 18:08:02 GMT srue 2007-09-21T18:08:02Z https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907626#M974638 <P>Riddle me this.....</P><P></P><P>Given an ACL that has the following line in it:</P><P></P><P>access-list TEST-NONAT extended permit icmp host EDISRV host X.X.X.X</P><P></P><P>When I attempt the following I get this error message:</P><P></P><P>ASA(config)# nat (INSIDE) 0 access-list TEST-NONAT</P><P>ERROR: access-list has protocol or port</P><P>ASA(config)# </P><P></P><P>At which point I scratch my head and say "well of course the acl has a protocol and port"</P><P></P><P>If I remove the ACL line I posted above the nat statement is accepted just fine. </P><P></P><P>I do not understand why.</P><P></P> Mon, 11 Mar 2019 11:15:05 GMT https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907626#M974638 whisperwind 2019-03-11T11:15:05Z https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907627#M974639 <HTML><HEAD></HEAD><BODY><P>Hi </P><P></P><P>You cannot use a port in an access-list that is there for NAT exemption. </P><P></P><P>You can use ports in access-lists for policy NAT.</P><P></P><P>HTH</P><P></P><P>Jon</P></BODY></HTML> Fri, 21 Sep 2007 17:33:08 GMT https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907627#M974639 Jon Marshall 2007-09-21T17:33:08Z https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907628#M974640 <HTML><HEAD></HEAD><BODY><P>yeah but icmp is a protocol not a port....</P></BODY></HTML> Fri, 21 Sep 2007 17:42:13 GMT https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907628#M974640 whisperwind 2007-09-21T17:42:13Z https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907629#M974641 <HTML><HEAD></HEAD><BODY><P>and the error says "protocol or port".</P></BODY></HTML> Fri, 21 Sep 2007 17:47:44 GMT https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907629#M974641 srue 2007-09-21T17:47:44Z https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907630#M974642 <HTML><HEAD></HEAD><BODY><P>Come on srue that is not helpful at all.</P><P></P><P>Why does exempting ping something is it denied? I can understand the port but not icmp, can anyone explain that to me?</P></BODY></HTML> Fri, 21 Sep 2007 17:53:31 GMT https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907630#M974642 whisperwind 2007-09-21T17:53:31Z https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907631#M974643 <HTML><HEAD></HEAD><BODY><P>You probably need to ask Cisco about the reasoning behind this logic. maybe they saw no need to allow users to be able to use nat exemption based on ports/protocols</P></BODY></HTML> Fri, 21 Sep 2007 18:08:02 GMT https://community.cisco.com/t5/network-security/acl-nat-icmp-confusion/m-p/907631#M974643 srue 2007-09-21T18:08:02Z