Solved: NAT rule error and not saving after migration from ASA to FTD

NetworkMonkey101 · ‎01-23-2025

Here is the original ASA rule - interfaces have been renamed

nat (IG_PCH_INT_INSIDE_CHESS,IG_PCH_INT_OUTSIDE_CHESS) source dynamic ObjectGroup1 pat-pool obj-group-pat-pool flat include-reserve round-robin destination static EXTNHSMAIL EXTNHSMAIL

Here is the configuration in FMC

Here is the error..

How do I resolve this?

Rob Ingram · ‎01-23-2025

@NetworkMonkey101 yes, create new objects using a range instead.

View solution in original post

Rob Ingram · ‎01-23-2025

@NetworkMonkey101 you've used a subnet in the object use for the PAT pool?

"PAT pool—Create a network object that includes a range, or create a network object group that contains hosts, ranges, or both. You cannot include subnets." https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/interfaces-settings-nat.html#ID-2090-0000044f

NetworkMonkey101 · ‎01-23-2025

Yep two subnets in the NAT pool. So recreate and use a range instead of the subnet..

Rob Ingram · ‎01-23-2025

@NetworkMonkey101 yes, create new objects using a range instead.