Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
5
Helpful
6
Replies

Asa nat error

Go to solution
opnineopnine
Level 1
Level 1

‎11-25-2014 01:20 PM - edited ‎03-11-2019 10:07 PM

Hi all,

 

I have a asa 5505 and im having the following error.

 

 

nat (inside) 0 access-list inside_nat0_outbound 
ERROR: access-list has protocol or port

 

 

Any ideas?

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to opnineopnine

‎11-25-2014 04:21 PM

Yes, remove the line with the port and add the same line without ports and with ip instead of tcp. That's all that has to be done..

View solution in original post

0 Helpful
6 Replies 6

Go to solution
burleyman
Level 8
Level 8

‎11-25-2014 01:58 PM

Please post the ACL inside_nat0_outbound

0 Helpful

Go to solution
opnineopnine
Level 1
Level 1
In response to burleyman

‎11-25-2014 02:32 PM

Hello burleyman

 

access-list inside_nat0_outbound extended permit ip any host estudio_address 
access-list inside_nat0_outbound extended permit ip any 172.18.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.17.2.0 255.255.255.0 host 10.61.10.224 
access-list inside_nat0_outbound extended permit ip any 12.100.64.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 12.100.65.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 12.102.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 12.100.66.0 255.255.255.0 
access-list inside_nat0_outbound extended permit tcp any 12.100.64.0 255.255.255.0 eq www --this is the last one i added.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to opnineopnine

‎11-25-2014 03:28 PM

An ACL that is used for NAT exemption should not contain any ports. If you really need ports (based on your config, I don't think so), you have to configure static identity NAT.

Just use the following line instead of your last line:

access-list inside_nat0_outbound extended permit ip any 12.100.64.0 255.255.255.0

Go to solution
opnineopnine
Level 1
Level 1
In response to Karsten Iwen

‎11-25-2014 03:32 PM

Hello Karsten

 

To fix the issue i would have to erase the acl and add the nat, write?

 

no access-list inside_nat0_outbound extended permit tcp any 12.100.64.0 255.255.255.0 eq www

 nat (inside) 0 access-list inside_nat0_outbound

 

Thanks.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to opnineopnine

‎11-25-2014 04:21 PM

Yes, remove the line with the port and add the same line without ports and with ip instead of tcp. That's all that has to be done..

0 Helpful

Go to solution
opnineopnine
Level 1
Level 1
In response to burleyman

‎11-25-2014 02:32 PM

I found my own error

 no access-list inside_nat0_outbound extended permit tcp any 12.100.64.0 255.255.255.0 eq www

 nat (inside) 0 access-list inside_nat0_outbound

 

Is that correct?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card