11-30-2010 12:09 AM - edited 03-11-2019 12:16 PM
Hi ,
ERROR: ACE contains port, protocol, or deny. Removing NAT configuration
I get this error when i put the tcp ace entry in the no nat ACL, my ASA is 5580 8.2.3
and this removed the no nat entry from the firewall. any ideas what could be the issue.
Regards,
Guneet Singh Gulati
11-30-2010 12:20 AM
You can't configure protocol or port specific ACE for NAT 0 (NAT exemption) ACL as it is not supported.
You can only configure "IP" as the protocol.
Here is the command reference for your information:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858
Hope that answers your question.
11-30-2010 12:27 AM
This is what i know, but i remember i have done similar configurations before and it only used to give warnings not the error.
Is this something introduced in newer versions of ASA.
Regards,
Guneet Singh Gulati
11-30-2010 01:57 AM
Sounds like it could potentially be a bug. It shouldn't removed the NAT statement but just give you an error message. You might want to open a TAC case to get it investigated further.
11-30-2010 02:16 AM
Not a bug as i face the similar issues with V 7.2.4
11-30-2010 09:06 AM
After the fix of defect "CSCsv32093: NAT_PAT: ASA should give error for mismatched policy nat ACL" the ASA will throw errors. It was fixed in 7.2.5 and 8.0.5.
I believe it makes sense now.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide