Cisco ASA - Nat 0 issue.

Posted on 2012-09-10
Last Modified: 2012-09-12
I have a point to point VPN between two sites that reside outside my firewall.  
Main Site: IP
Remote Site:,  
VPN is up and system works 100%.

This issue is if I have to reboot my the FW the access list will not come up. I get an error that access-list will can’t contain port setting.    
nat (inside) 0 access-list vpn_only - list will not load.
access-list vpn_only extended permit udp

access-list vpn_only extended permit udp

So whenever I need to reboot my firewall I remove the 2 access lists above add the nat (inside) 0 access-list vpn_only then add back in the access-list..

Version on firewall is:
Cisco Adaptive Security Appliance Software Version 7.2(3)

Not sure how to fix.
Question by:thecookman
    LVL 35

    Expert Comment

    by:Ernie Beek
    Try changing

    access-list vpn_only extended permit udp
    access-list vpn_only extended permit udp


    access-list vpn_only extended permit ip
    access-list vpn_only extended permit ip

    Author Comment

    Hi Thank you for the Post..

    I left some other items out just for the sake of this posting.

    I do have what you suggested in the FW

    Attached are the lines I need to remove its everything with TCP and UDP.

    Author Comment

    ERROR: access-list has protocol or port
    LVL 14

    Expert Comment

    you're just trying to do what ASA (and even old Pix) will never allow you: you want to use port and protocol definitions in an access-list used to exempt nat (e.g.: nat (0)).
    Please read the following:

    from pix/asa 7.x command reference at
    NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
    in other words,  NAT 0 will NEVER in any version (either 6.x or 7.x) will allow you to use ports and/or protocol in the NAT 0 ACL. Those ACLs are ignored and deleted.

    hope this helps
    LVL 35

    Accepted Solution

    Missed a couple of messages (?)

    But like I pointed out before (and like max said), you can't use ACL's with TCP or UDP in them for nat exemption. So change all of them so they use IP (without any port definition).

    If you want to filter on specific ports you can achieve that by making sure there is no sysopt connection permit-vpn in your config. Then you can define the TCP and UDP lines in the outside ACL hence getting the same result without reboot issues.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Suggested Solutions

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now