https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457756#M1083240 <P>First VPN config. Missing something simple.&nbsp;</P><P>ERROR: Address X.X.X.X overlaps with outside interface address.</P><P>ERROR: NAT Policy is not downloaded.</P><P>Firepower 2100 series using FDM for configuration. I have configured the VPN for inside network object X.X.X.0/24 &gt; Dynamic PAT &gt; Outside facing public IP address (configured as HOST object)</P><P>From the config error called out in the failed deployment log, I know that I have messed up NAT policy somehow, but can't figure out how. Any help would be greatly appreciated.</P> Tue, 31 Aug 2021 19:43:10 GMT jreynolds4 2021-08-31T19:43:10Z https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457756#M1083240 <P>First VPN config. Missing something simple.&nbsp;</P><P>ERROR: Address X.X.X.X overlaps with outside interface address.</P><P>ERROR: NAT Policy is not downloaded.</P><P>Firepower 2100 series using FDM for configuration. I have configured the VPN for inside network object X.X.X.0/24 &gt; Dynamic PAT &gt; Outside facing public IP address (configured as HOST object)</P><P>From the config error called out in the failed deployment log, I know that I have messed up NAT policy somehow, but can't figure out how. Any help would be greatly appreciated.</P> Tue, 31 Aug 2021 19:43:10 GMT https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457756#M1083240 jreynolds4 2021-08-31T19:43:10Z https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457803#M1083241 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1241039">@jreynolds4</a>&nbsp;,</P><P>&nbsp;</P><P>If you want to configure Dynamic PAT, use the Option&nbsp;<STRONG>Interface</STRONG> Instead of specifying an object contains outside interface IP.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Acc disable policy.JPG" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/129314i9F196E23BE2B119D/image-size/large?v=v2&amp;px=999" role="button" title="Acc disable policy.JPG" alt="Acc disable policy.JPG" /></span></P><P> </P><P> </P><P>Hope that helps!</P> Tue, 31 Aug 2021 21:37:00 GMT https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457803#M1083241 Amine ZAKARIA 2021-08-31T21:37:00Z https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457816#M1083242 <P>i will try outside interface (instead of any)</P> <P>&nbsp;</P> Tue, 31 Aug 2021 21:29:03 GMT https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457816#M1083242 balaji.bandi 2021-08-31T21:29:03Z https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457898#M1083243 <P>Thank you so much for the response. My post was incorrect. Although the deploy error lead me to thinking there is an error in "NAT" rules that is incorrect. I have exempted this site to site VPN from NAT. With this in mind I am even more confused as to the config error.</P><P>&nbsp;</P><P><SPAN>ERROR: Address X.X.X.X overlaps with outside interface address.</SPAN><BR /><SPAN>ERROR: NAT Policy is not downloaded</SPAN></P><P><SPAN>Config Error -- nat (inside,any) dynamic OutsidePublicIP</SPAN></P> Wed, 01 Sep 2021 00:26:53 GMT https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457898#M1083243 jreynolds4 2021-09-01T00:26:53Z https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457900#M1083244 <P>Hello&nbsp;&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1241039">@jreynolds4</a>&nbsp;,</P><P>&nbsp;</P><P>The PAT you should specifiy the outside to nat with, like this :</P><P><SPAN>nat (inside,<STRONG>outside</STRONG>) dynamic OutsidePublicIP or&nbsp;nat (inside,<STRONG>outside</STRONG>) dynamic interface (Check the capture i have shared above for the example)</SPAN></P><P>&nbsp;</P><P><SPAN>I'm assuming you want to "<STRONG>Any</STRONG> traffic from the inside zone going outside to be PAT", with the NAT Exempt checkbox enabled the local networks and remote networks configured under S2S VPN are going to be exempt from the PAT Policy.</SPAN></P> Wed, 01 Sep 2021 00:43:30 GMT https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457900#M1083244 Amine ZAKARIA 2021-09-01T00:43:30Z https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457908#M1083245 Zakaria,<BR />Because I am so new to this I think it best to describe the purpose of the site to site VPN. This is to accommodate connections from individual workstations to our Electronic Health Records vendor. The connections are interactive and bi-directional. For this reason the individual IP addresses from the inside network object need to be visible to the vendor and, therefore, need to be exempt from NAT rules.<BR />I hope this explanation makes sense. I am losing my mind a bit on this. I have opened a ticket with Cisco support. Hopefully they can walk me through. Fast learner, but starting at 0 here.<BR /> Wed, 01 Sep 2021 01:17:37 GMT https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4457908#M1083245 jreynolds4 2021-09-01T01:17:37Z https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4458023#M1083246 <P>The FDM should take care of exempting the VPN traffic without you to have to create any manual rules. However, if you still need to create a NAT exemption rule for the VPN traffic then that should be a manual static NAT rule where you specify the source in both the original packet and translated packet section as the endpoint source or the whole subnet where those endpoints are located. The same will be for the destination IP/subnet, you will set the same destination address in both the original packet and the translated packet.</P><P>Regarding the error you are seeing when you tried to apply the dynamic rule, I think it is simply because you can't use the same IP assigned to an interface in a NAT rule with a custom object. In your case it seems that the public IP&nbsp;65.140.69.98 is assigned already to the outside interface. It would be enough to use a different public IP address associated to the object OutsidePublicIP and specify the destination interface as outside. That NAT rule will translate the traffic sourcing from the&nbsp;WHH-PACS-Network to the public IP 65.140.69.89.</P> Wed, 01 Sep 2021 07:02:18 GMT https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4458023#M1083246 Aref_Alsouqi 2021-09-01T07:02:18Z https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4458028#M1083247 <DIV id="bodyDisplay_5" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P>The FDM should take care of exempting the VPN traffic without you to have to create any manual rules. However, if you still need to create a NAT exemption rule for the VPN traffic then that should be a manual static NAT rule where you specify the source in both the original packet and translated packet section as the endpoint source or the whole subnet where those endpoints are located. The same will be for the destination IP/subnet, you will set the same destination address in both the original packet and the translated packet.</P> <P>Regarding the error you are seeing when you tried to apply the dynamic rule, I think it is simply because you can't use the same IP assigned to an interface in a NAT rule with a custom object. In your case it seems that the public IP&nbsp;65.140.69.98 is assigned already to the outside interface. It would be enough to use a different public IP address associated to the object OutsidePublicIP and specify the destination interface as outside. That NAT rule will translate the traffic sourcing from the&nbsp;WHH-PACS-Network to the public IP 65.140.69.89.</P> </DIV> </DIV> Wed, 01 Sep 2021 07:08:40 GMT https://community.cisco.com/t5/network-security/vpn-deployment-failed-config-error-nat-inside-any-dynamic/m-p/4458028#M1083247 Aref Alsouqi 2021-09-01T07:08:40Z