topic Re: Getting error after removing object from object-group in Network Security

Getting error after removing object from object-group

Fartingdragon — Wed, 26 Apr 2023 12:50:53 GMT

Getting the following error after I removed an unused network object from an object group on my ASA. Why am I getting this error? But I have no idea how they can be related? Yes, I understand they overlap, but it never was an issue before? Should I be concerned? Everything seems to be working, there's a bunch of NAT Rules which the object-group IntDataSeg is used in. But so far I don't see anything being an issue.

name 50.50.50.50 fw_1_ext
!
interface GigabitEthernet0/1
nameif ISP_2
security-level 0
ip address fw_1_ext 255.255.255.240
!
object network fw_1_ext
host 50.50.50.50

nat (inside,outside) source dynamic IntAllSeg interface
nat (inside,ISP_2) source dynamic IntAllSeg interface

ASA-1/act# config t
ASA-1//act(config)# object-group network IntDataSeg
ASA-1/act(config-network-object-group)# no network-object DataSeg21 255.255.0.0
ERROR: Address fw_1_ext overlaps with ISP_2 interface address.
ERROR: NAT Policy is not downloaded
ASA-1/act(config-network-object-group)#network-object DataSeg21 255.255.0.0
ERROR: Address fw_1_ext overlaps with ISP_2 interface address.
ERROR: NAT Policy is not downloaded
ERROR: object-group (IntDataSeg) updation failed due to internal error
ASA-1/act(config-network-object-group)# exit

Re: Getting error after removing object from object-group

Marius Gunnerud — Wed, 26 Apr 2023 13:15:28 GMT

By the looks of it you have two NAT statements referencing the same IP (ISP_2 interface IP). This has most likely been this way for a while so I do not believe it will affect you in any way, but you might want to look into it and clean it up as this can affect future NAT configurations and/or cause problems in the future.

show xlate local 50.50.50.50

show nat 50.50.50.50

Re: Getting error after removing object from object-group

Fartingdragon — Wed, 26 Apr 2023 13:35:36 GMT

The two NAT one is for the primary isp (outside) and the secondary is (ISP_2) those statements, that isn't a problem is it?

Re: Getting error after removing object from object-group

MHM Cisco World — Wed, 26 Apr 2023 13:42:58 GMT

IntAllSeg this object group for nat

IntDataSeg you delete other object group or I am wrong?

Re: Getting error after removing object from object-group

Fartingdragon — Wed, 26 Apr 2023 15:31:53 GMT

I didn't delete an object group, only an object within the IntDataSeg which had the 10.221.0.0 /16 network it had different objects of the different networks like 10.221.0.0 would be called DataSeg221 10.222.0.0 would be called DataSeg222. The IntAllSeg has additional objects in it, but that one is untouched.