Unable to download NAT policy for ACE

By James on March 29, 2008 11 Comments
2,926 views
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5 out of 5)
Loading ... Loading ...
Categories: Cisco Tags: , , , ,

I was working on an ASA config and ran into an interesting error. I needed to not perform NAT on the traffic from the inside LAN to the DMZ. I configured an access-list:

access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.48.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.49.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.3.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.4.0 255.255.255.0

And then specified to not perform NAT:

nat (inside) 0 access-list InsideNoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0

I then needed to add another line to the InsideNoNAT_ACL, and that is where I received the error.

(config)#access-list InsideNoNAT_ACL permit 10.0.0.0 255.0.0.0 172.31.3.0 255.255.255.0
Unable to download NAT policy for ACE

All this error message is saying is that the new line in the access-list was not added to the active NAT table, but was added to the access-list. Upon doing some searching, I read in several places that a reboot fixed the problem. While this is true, it is not necessary. All that needs to be done is to remove and reapply the nat statement.

(config)#no nat (inside) 0 access-list InsideNoNAT_ACL
(config)#nat (inside) 0 access-list InsideNoNAT_ACL

This rebuilds the NAT rules and applies all rules in the ACL. Much better than a reload!

11 Responses to “Unable to download NAT policy for ACE”

Feed for this Entry Trackback Address View blog reactions
  1. 1 Rob Chee Apr 28th, 2008 at 1:46 pm

    Thanks that helped me

  2. 2 Kjell May 9th, 2008 at 7:23 am

    Thanx!

    I’ve been looking for the error, made by me in the config for hours, not finding anything because there was no error!! Only an very undocumented need to rebuild the NAT rules.

    This saved my day!

  3. 3 Jor-el Jun 17th, 2008 at 7:14 pm

    Great tip! This was driving me nuts. Same identical rules in my nat0 acl for two different networks, yet one network could talk and the other could not.

    I would have never found your fix if I hadn’t in desperation deleted the troublesome rule and readded it, at which time I saw the “Unable to download NAT policy for ACE” error message.

  4. 4 Joel Jul 14th, 2008 at 8:58 am

    1
    Took me ages to stop ignoring the error and Google it.

    Apparently it’s fixed in 8.0.3(6).

  5. 5 DialerString Apr 3rd, 2009 at 3:56 pm

    Thanks for that tip and it helped!

  6. 6 Garry Nov 3rd, 2009 at 5:26 am

    > Apparently it’s fixed in 8.0.3(6).

    Nope, still happens in 8.2(1) …

  7. 7 DC Feb 5th, 2010 at 3:06 pm

    Confirmed, happens to me on 8.2(1) as well.

    Thanks for this great tip, really saves a lot of trouble (and some downtime) by not having to do a reload.

  8. 8 David Apr 29th, 2010 at 6:15 am

    Thanks for the tip.
    Fixed my NAT issue 8.2(1)- wish saw this post yesterday

  9. 9 g Oct 12th, 2010 at 8:36 am

    remove the nat statement and put back in worked version 6.0(3)

  10. 10 cisco 888 Nov 15th, 2011 at 11:26 pm

    Why somebody not seen this situation before? Real nice and newsy.

  1. 1 ASA: NAT-Probleme - MCSEboard.de MCSE Forum Pingback on Sep 16th, 2008 at 2:33 am

Leave a Reply

« Cisco ASA and ICMP Configurations
Configure SSH Access on an ASA »