Unable to delete network-object from object-group

KR769 · ‎02-13-2023

Hi All,

I'm doing some cleanup on an ASA5516-X and wondering if there is a way to delete a network-object from an object-group while that object group is configured in a NAT rule.

Other posts on the same topic advise to delete the NAT rule then remove the network-object. The problem is that the all of our L2L VPN tunnels use that NAT rule and I'd take down the network by deleting it.

Here's a partial sample config to help visualize:


object-group network LOCAL_NETS
network-object 10.1.1.0 255.255.255.0
network-object 10.2.2.0 255.255.255.0

object-group network ALL_REMOTE_SITE_NETS 
network-object 10.5.5.0 255.255.255.0
network-object 10.6.6.0 255.255.255.0
network-object 10.7.7.0 255.255.255.0
network-object 10.8.8.0 255.255.255.0
network-object 10.9.9.0 255.255.255.0 <<< This site has closed and I want to remove the network-object without affecting connectivity to the other sites.
network-object 10.10.10.0 255.255.255.0

nat (inside,any) source static LOCAL_NETS LOCAL_NETS destination static ALL_REMOTE_SITE_NETS ALL_REMOTE_SITE_NETS no-proxy-arp route-lookup
nat (inside,any) source static ALL_REMOTE_SITE_NETS ALL_REMOTE_SITE_NETS destination static LOCAL_NETS LOCAL_NETS no-proxy-arp route-lookup

Any advice is greatly appreciated.

MHM Cisco World · ‎02-13-2023

you can try lab this before apply it
config new object-group (without network you want to delete)
config new NAT with new object-group <<- here you must make it line number1 to make it above old NAT.
then after you sure that your traffic is not drop then you can remove old NAT and old object-group