Cisco ASA - Nat 0 issue.

Posted on 2012-09-10
Medium Priority
Last Modified: 2012-09-12
I have a point to point VPN between two sites that reside outside my firewall.  
Main Site: IP
Remote Site:,  
VPN is up and system works 100%.

This issue is if I have to reboot my the FW the access list will not come up. I get an error that access-list will can’t contain port setting.    
nat (inside) 0 access-list vpn_only - list will not load.
access-list vpn_only extended permit udp

access-list vpn_only extended permit udp

So whenever I need to reboot my firewall I remove the 2 access lists above add the nat (inside) 0 access-list vpn_only then add back in the access-list..

Version on firewall is:
Cisco Adaptive Security Appliance Software Version 7.2(3)

Not sure how to fix.
Question by:thecookman
  • 2
  • 2
LVL 35

Expert Comment

by:Ernie Beek
ID: 38384222
Try changing

access-list vpn_only extended permit udp
access-list vpn_only extended permit udp


access-list vpn_only extended permit ip
access-list vpn_only extended permit ip

Author Comment

ID: 38384405
Hi Thank you for the Post..

I left some other items out just for the sake of this posting.

I do have what you suggested in the FW

Attached are the lines I need to remove its everything with TCP and UDP.

Author Comment

ID: 38384413
ERROR: access-list has protocol or port
LVL 17

Expert Comment

ID: 38390288
you're just trying to do what ASA (and even old Pix) will never allow you: you want to use port and protocol definitions in an access-list used to exempt nat (e.g.: nat (0)).
Please read the following:

from pix/asa 7.x command reference at http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html#wp1583696
NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list.
in other words,  NAT 0 will NEVER in any version (either 6.x or 7.x) will allow you to use ports and/or protocol in the NAT 0 ACL. Those ACLs are ignored and deleted.

hope this helps
LVL 35

Accepted Solution

Ernie Beek earned 2000 total points
ID: 38390363
Missed a couple of messages (?)

But like I pointed out before (and like max said), you can't use ACL's with TCP or UDP in them for nat exemption. So change all of them so they use IP (without any port definition).

If you want to filter on specific ports you can achieve that by making sure there is no sysopt connection permit-vpn in your config. Then you can define the TCP and UDP lines in the outside ACL hence getting the same result without reboot issues.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is about my experience upgrading my consulting machine to Windows 10 Version 1709 (The Fall 2017 Creator Update)
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question