Loading ...I was working on an ASA config and ran into an interesting error. I needed to not perform NAT on the traffic from the inside LAN to the DMZ. I configured an access-list:
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.48.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.49.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.3.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.4.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.49.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.3.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.4.0 255.255.255.0
And then specified to not perform NAT:
nat (inside) 0 access-list InsideNoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 1 0.0.0.0 0.0.0.0
I then needed to add another line to the InsideNoNAT_ACL, and that is where I received the error.
(config)#access-list InsideNoNAT_ACL permit 10.0.0.0 255.0.0.0 172.31.3.0 255.255.255.0
Unable to download NAT policy for ACE
Unable to download NAT policy for ACE
All this error message is saying is that the new line in the access-list was not added to the active NAT table, but was added to the access-list. Upon doing some searching, I read in several places that a reboot fixed the problem. While this is true, it is not necessary. All that needs to be done is to remove and reapply the nat statement.
(config)#no nat (inside) 0 access-list InsideNoNAT_ACL
(config)#nat (inside) 0 access-list InsideNoNAT_ACL
(config)#nat (inside) 0 access-list InsideNoNAT_ACL
This rebuilds the NAT rules and applies all rules in the ACL. Much better than a reload!
Thanks that helped me
Thanx!
I’ve been looking for the error, made by me in the config for hours, not finding anything because there was no error!! Only an very undocumented need to rebuild the NAT rules.
This saved my day!
Great tip! This was driving me nuts. Same identical rules in my nat0 acl for two different networks, yet one network could talk and the other could not.
I would have never found your fix if I hadn’t in desperation deleted the troublesome rule and readded it, at which time I saw the “Unable to download NAT policy for ACE” error message.
1
Took me ages to stop ignoring the error and Google it.
Apparently it’s fixed in 8.0.3(6).