Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

NAT 0 on 8.4.4 - error overlapping failover address

I'm setting up a new ASA that will be used for L2L VPN.  I am setting up a tunnel that will need to permit all of our internal RFC1918 address through with no NAT.

In pre 8.3, we used a nat 0 command with an access list.  However, that is now gone.

My object group is as follows:

object-group network Internal-Hosts

network-object 10.128.0.0 255.128.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

I used the new command:

nat (inside,outside) source static Internal-Hosts Internal-Hosts no-proxy-arp route-lookup

However, I get the following errors:

ERROR: 10.128.0.0-10.255.255.255 overlaps with failover interface address

ERROR: NAT Policy is not downloaded

This is true, our failover interface is in that subnet.

Do I have to re-do my object group and separate the 10.128.0.0 supernet to eliminate my failover subnet?  Or is there another way?

Thanks.

Jason

Everyone's tags (6)
3 REPLIES
VIP Purple

Re: NAT 0 on 8.4.4 - error overlapping failover address

That should work without changing your object-groups. But your nat-exemption-command is not complete as the destination is missing. Try it that way:

nat (inside,outside) source static Internal-Hosts Internal-Hosts destination static REMOTE-NETWORKS REMOTE-NETWORKS description NAT-Excempt for VPN

New Member

Re: NAT 0 on 8.4.4 - error overlapping failover address

I still get the same error about the overlap with the failover address.

However, I found that if I remove the failover lines, add the NAT and then re-add the failover, it seems to work.

This is a pain though...

New Member

Re: NAT 0 on 8.4.4 - error overlapping failover address

I have been running into the same problem, and I finally solved it by separating the object-groups used for NAT from the ones used elsewhere.  So now I have 2 separate objects and groups:

!-- Define each network object

object network internal1-network

  subnet 192.168.1.0 255.255.255.0

object network internal2-network

  subnet 192.168.2.0 255.255.255.0

object network internal1-nat

  range 192.168.1.3 192.168.1.254

object network internal2-nat

  range 192.168.2.3 192.168.2.254

!-- Then define groups

object-group network Internal-Hosts

  network-object object internal1-network

  network-object object internal2-network

object-group network Internal-NAT

  network-object object internal1-nat

  network-object object internal2-nat

!-- Use the "NAT" group for nat commands

nat (inside,outside) source static Internal-NAT Internal-NAT no-proxy-arp route-lookup

1221
Views
0
Helpful
3
Replies
CreatePlease to create content