04-26-2023 05:48 AM - edited 04-26-2023 05:50 AM
Getting the following error after I removed an unused network object from an object group on my ASA. Why am I getting this error? But I have no idea how they can be related? Yes, I understand they overlap, but it never was an issue before? Should I be concerned? Everything seems to be working, there's a bunch of NAT Rules which the object-group IntDataSeg is used in. But so far I don't see anything being an issue.
name 50.50.50.50 fw_1_ext
!
interface GigabitEthernet0/1
nameif ISP_2
security-level 0
ip address fw_1_ext 255.255.255.240
!
object network fw_1_ext
host 50.50.50.50
nat (inside,outside) source dynamic IntAllSeg interface
nat (inside,ISP_2) source dynamic IntAllSeg interface
ASA-1/act# config t
ASA-1//act(config)# object-group network IntDataSeg
ASA-1/act(config-network-object-group)# no network-object DataSeg21 255.255.0.0
ERROR: Address fw_1_ext overlaps with ISP_2 interface address.
ERROR: NAT Policy is not downloaded
ASA-1/act(config-network-object-group)#network-object DataSeg21 255.255.0.0
ERROR: Address fw_1_ext overlaps with ISP_2 interface address.
ERROR: NAT Policy is not downloaded
ERROR: object-group (IntDataSeg) updation failed due to internal error
ASA-1/act(config-network-object-group)# exit
04-26-2023 06:15 AM
By the looks of it you have two NAT statements referencing the same IP (ISP_2 interface IP). This has most likely been this way for a while so I do not believe it will affect you in any way, but you might want to look into it and clean it up as this can affect future NAT configurations and/or cause problems in the future.
show xlate local 50.50.50.50
show nat 50.50.50.50
04-26-2023 06:35 AM
The two NAT one is for the primary isp (outside) and the secondary is (ISP_2) those statements, that isn't a problem is it?
04-26-2023 06:42 AM
IntAllSeg this object group for nat
IntDataSeg you delete other object group or I am wrong?
04-26-2023 08:31 AM
I didn't delete an object group, only an object within the IntDataSeg which had the 10.221.0.0 /16 network it had different objects of the different networks like 10.221.0.0 would be called DataSeg221 10.222.0.0 would be called DataSeg222. The IntAllSeg has additional objects in it, but that one is untouched.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide