Re: ERROR: ACE contains port, protocol, or deny. Removing NAT co

gunitsgulati · ‎11-30-2010

Hi ,

ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

I get this error when i put the tcp ace entry in the no nat ACL, my ASA is 5580 8.2.3

and this removed the no nat entry from the firewall. any ideas what could be the issue.

Regards,

Guneet Singh Gulati

Jennifer Halim · ‎11-30-2010

You can't configure protocol or port specific ACE for NAT 0 (NAT exemption) ACL as it is not supported.

You can only configure "IP" as the protocol.

Here is the command reference for your information:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858

Hope that answers your question.

gunitsgulati · ‎11-30-2010

This is what i know, but i remember i have done similar configurations before and it only used to give warnings not the error.

Is this something introduced in newer versions of ASA.

Regards,

Guneet Singh Gulati

Jennifer Halim · ‎11-30-2010

Sounds like it could potentially be a bug. It shouldn't removed the NAT statement but just give you an error message. You might want to open a TAC case to get it investigated further.

gunitsgulati · ‎11-30-2010

Not a bug as i face the similar issues with V 7.2.4

Panos Kampanakis · ‎11-30-2010

After the fix of defect "CSCsv32093: NAT_PAT: ASA should give error for mismatched policy nat ACL" the ASA will throw errors. It was fixed in 7.2.5 and 8.0.5.

I believe it makes sense now.

PK