Cisco ASA - Nat 0 issue.

I have a point to point VPN between two sites that reside outside my firewall.  
Main Site: IP 10.127.240.0/24
Remote Site: 10.127.107.0/24, 10.127.108.0/24.  
VPN is up and system works 100%.

This issue is if I have to reboot my the FW the access list will not come up. I get an error that access-list will can’t contain port setting.    
nat (inside) 0 access-list vpn_only - list will not load.
access-list vpn_only extended permit udp 10.127.240.0 255.255.255.0 10.127.108.0 255.255.255.0

access-list vpn_only extended permit udp 10.127.240.0 255.255.255.0 10.127.107.0 255.255.255.0

So whenever I need to reboot my firewall I remove the 2 access lists above add the nat (inside) 0 access-list vpn_only then add back in the access-list..

Version on firewall is:
Cisco Adaptive Security Appliance Software Version 7.2(3)

Not sure how to fix.
thecookmanAsked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
Missed a couple of messages (?)

But like I pointed out before (and like max said), you can't use ACL's with TCP or UDP in them for nat exemption. So change all of them so they use IP (without any port definition).

If you want to filter on specific ports you can achieve that by making sure there is no sysopt connection permit-vpn in your config. Then you can define the TCP and UDP lines in the outside ACL hence getting the same result without reboot issues.
0
 
Ernie BeekExpertCommented:
Try changing

access-list vpn_only extended permit udp 10.127.240.0 255.255.255.0 10.127.108.0 255.255.255.0
access-list vpn_only extended permit udp 10.127.240.0 255.255.255.0 10.127.107.0 255.255.255.0


to

access-list vpn_only extended permit ip 10.127.240.0 255.255.255.0 10.127.108.0 255.255.255.0
access-list vpn_only extended permit ip 10.127.240.0 255.255.255.0 10.127.107.0 255.255.255.0
0
 
thecookmanAuthor Commented:
Hi Thank you for the Post..

I left some other items out just for the sake of this posting.

I do have what you suggested in the FW

Attached are the lines I need to remove its everything with TCP and UDP.
Access-list.txt
0
 
thecookmanAuthor Commented:
ERROR: access-list has protocol or port
0
 
max_the_kingCommented:
Hi,
you're just trying to do what ASA (and even old Pix) will never allow you: you want to use port and protocol definitions in an access-list used to exempt nat (e.g.: nat (0)).
Please read the following:

from pix/asa 7.x command reference at http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1583696
******************
NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
*************************
in other words,  NAT 0 will NEVER in any version (either 6.x or 7.x) will allow you to use ports and/or protocol in the NAT 0 ACL. Those ACLs are ignored and deleted.

hope this helps
max
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.