Always Geeky

Never specific anything other than IP (such as TCP or UDP), when creating an ACL on the ASA for an ACL used within a NAT statement. If you do, you may get this error:

ERROR: ACE contains port, protocol, or deny. Removing NAT configuration

The above means that all of your NAT config has now been removed. Depending on your config, this can break a lot of traffic.

Here is an example:

ciscoasa/pri/act# show run nat

nat (outside) 0 access-list nat-exempt
nat (dmz) 0 access-list nat-exempt
nat (inside) 0 access-list nat-exempt

ciscoasa/pri/act#
ciscoasa/pri/act# sh run access-list nat-exempt

access-list nat-exempt extended permit ip 10.101.0.0 255.255.255.0 10.120.0.0 255.255.255.0

ciscoasa/pri/act# configure terminal
ciscoasa/pri/act(config)# access-list nat-exempt extended permit tcp 10.96.0.0
255.255.255.0 172.19.19.0 255.255.255.0 eq 80

ERROR: ACE contains port, protocol, or deny. Removing NAT configuration
nat (outside) 0 access-list nat-exempt
ERROR: ACE contains port, protocol, or deny. Removing NAT configuration
nat (dmz) 0 access-list nat-exempt
ERROR: ACE contains port, protocol, or deny. Removing NAT configuration
nat (inside) 0 access-list nat-exempt

ciscoasa/pri/act(config)# exit
ciscoasa/pri/act# 
ciscoasa/pri/act# show run nat
ciscoasa/pri/act# 

Notice that the NAT rules were removed completely when we added the incorrect ACE. We need to replace them manually:

ciscoasa/pri/act(config)# no access-list nat-exempt extended permit tcp 10.96.0.0
255.255.255.0 172.19.19.0 255.255.255.0 eq 80

ciscoasa/pri/act(config)# nat (outside) 0 access-list nat-exempt
ciscoasa/pri/act(config)# nat (dmz) 0 access-list nat-exempt
ciscoasa/pri/act(config)# nat (inside) 0 access-list nat-exempt