Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT 0 on 8.4.4 - error overlapping failover address

I'm setting up a new ASA that will be used for L2L VPN.  I am setting up a tunnel that will need to permit all of our internal RFC1918 address through with no NAT.

In pre 8.3, we used a nat 0 command with an access list.  However, that is now gone.

My object group is as follows:

object-group network Internal-Hosts




I used the new command:

nat (inside,outside) source static Internal-Hosts Internal-Hosts no-proxy-arp route-lookup

However, I get the following errors:

ERROR: overlaps with failover interface address

ERROR: NAT Policy is not downloaded

This is true, our failover interface is in that subnet.

Do I have to re-do my object group and separate the supernet to eliminate my failover subnet?  Or is there another way?



Everyone's tags (6)
VIP Purple

Re: NAT 0 on 8.4.4 - error overlapping failover address

That should work without changing your object-groups. But your nat-exemption-command is not complete as the destination is missing. Try it that way:

nat (inside,outside) source static Internal-Hosts Internal-Hosts destination static REMOTE-NETWORKS REMOTE-NETWORKS description NAT-Excempt for VPN

New Member

Re: NAT 0 on 8.4.4 - error overlapping failover address

I still get the same error about the overlap with the failover address.

However, I found that if I remove the failover lines, add the NAT and then re-add the failover, it seems to work.

This is a pain though...

New Member

Re: NAT 0 on 8.4.4 - error overlapping failover address

I have been running into the same problem, and I finally solved it by separating the object-groups used for NAT from the ones used elsewhere.  So now I have 2 separate objects and groups:

!-- Define each network object

object network internal1-network


object network internal2-network


object network internal1-nat


object network internal2-nat


!-- Then define groups

object-group network Internal-Hosts

  network-object object internal1-network

  network-object object internal2-network

object-group network Internal-NAT

  network-object object internal1-nat

  network-object object internal2-nat

!-- Use the "NAT" group for nat commands

nat (inside,outside) source static Internal-NAT Internal-NAT no-proxy-arp route-lookup

CreatePlease to create content