Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
4
Replies

Getting error after removing object from object-group

Fartingdragon
Level 1
Level 1

‎04-26-2023 05:48 AM - edited ‎04-26-2023 05:50 AM

Getting the following error after I removed an unused network object from an object group on my ASA. Why am I getting this error? But I have no idea how they can be related? Yes, I understand they overlap, but it never was an issue before? Should I be concerned? Everything seems to be working, there's a bunch of NAT Rules which the object-group IntDataSeg is used in. But so far I don't see anything being an issue.

name 50.50.50.50 fw_1_ext
!
interface GigabitEthernet0/1
nameif ISP_2
security-level 0
ip address fw_1_ext 255.255.255.240
!
object network fw_1_ext
host 50.50.50.50

nat (inside,outside) source dynamic IntAllSeg interface
nat (inside,ISP_2) source dynamic IntAllSeg interface

ASA-1/act# config t
ASA-1//act(config)# object-group network IntDataSeg
ASA-1/act(config-network-object-group)# no network-object DataSeg21 255.255.0.0
ERROR: Address fw_1_ext overlaps with ISP_2 interface address.
ERROR: NAT Policy is not downloaded
ASA-1/act(config-network-object-group)#network-object DataSeg21 255.255.0.0
ERROR: Address fw_1_ext overlaps with ISP_2 interface address.
ERROR: NAT Policy is not downloaded
ERROR: object-group (IntDataSeg) updation failed due to internal error
ASA-1/act(config-network-object-group)# exit

0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎04-26-2023 06:15 AM

By the looks of it you have two NAT statements referencing the same IP (ISP_2 interface IP).  This has most likely been this way for a while so I do not believe it will affect you in any way, but you might want to look into it and clean it up as this can affect future NAT configurations and/or cause problems in the future.

show xlate local 50.50.50.50

show nat 50.50.50.50

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Fartingdragon
Level 1
Level 1
In response to Marius Gunnerud

‎04-26-2023 06:35 AM

The two NAT one is for the primary isp (outside) and the secondary is (ISP_2) those statements, that isn't a problem is it? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Fartingdragon

‎04-26-2023 06:42 AM

IntAllSeg this object group for nat 

IntDataSeg you delete other object group or I am wrong?

0 Helpful

Fartingdragon
Level 1
Level 1
In response to MHM Cisco World

‎04-26-2023 08:31 AM

I didn't delete an object group, only an object within the IntDataSeg which had the 10.221.0.0 /16 network it had different objects of the different networks like 10.221.0.0 would be called DataSeg221 10.222.0.0 would be called DataSeg222. The IntAllSeg has additional objects in it, but that one is untouched. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card