Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1480
Views
0
Helpful
3
Replies

NAT 0 on 8.4.4 - error overlapping failover address

jason.williams
Level 1
Level 1

‎07-24-2012 07:21 AM - edited ‎03-11-2019 04:34 PM

I'm setting up a new ASA that will be used for L2L VPN.  I am setting up a tunnel that will need to permit all of our internal RFC1918 address through with no NAT.

In pre 8.3, we used a nat 0 command with an access list.  However, that is now gone.

My object group is as follows:

object-group network Internal-Hosts

network-object 10.128.0.0 255.128.0.0

network-object 172.16.0.0 255.240.0.0

network-object 192.168.0.0 255.255.0.0

I used the new command:

nat (inside,outside) source static Internal-Hosts Internal-Hosts no-proxy-arp route-lookup

However, I get the following errors:

ERROR: 10.128.0.0-10.255.255.255 overlaps with failover interface address

ERROR: NAT Policy is not downloaded

This is true, our failover interface is in that subnet.

Do I have to re-do my object group and separate the 10.128.0.0 supernet to eliminate my failover subnet?  Or is there another way?

Thanks.

Jason

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎07-24-2012 07:29 AM

That should work without changing your object-groups. But your nat-exemption-command is not complete as the destination is missing. Try it that way:

nat (inside,outside) source static Internal-Hosts Internal-Hosts destination static REMOTE-NETWORKS REMOTE-NETWORKS description NAT-Excempt for VPN

0 Helpful

jason.williams
Level 1
Level 1
In response to Karsten Iwen

‎07-24-2012 07:51 AM

I still get the same error about the overlap with the failover address.

However, I found that if I remove the failover lines, add the NAT and then re-add the failover, it seems to work.

This is a pain though...

0 Helpful

ewm_brian
Level 1
Level 1
In response to jason.williams

‎08-06-2012 03:22 PM

I have been running into the same problem, and I finally solved it by separating the object-groups used for NAT from the ones used elsewhere.  So now I have 2 separate objects and groups:

!-- Define each network object

object network internal1-network

  subnet 192.168.1.0 255.255.255.0

object network internal2-network

  subnet 192.168.2.0 255.255.255.0

object network internal1-nat

  range 192.168.1.3 192.168.1.254

object network internal2-nat

  range 192.168.2.3 192.168.2.254

!-- Then define groups

object-group network Internal-Hosts

  network-object object internal1-network

  network-object object internal2-network

object-group network Internal-NAT

  network-object object internal1-nat

  network-object object internal2-nat

!-- Use the "NAT" group for nat commands

nat (inside,outside) source static Internal-NAT Internal-NAT no-proxy-arp route-lookup

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card