Unable to download NAT policy for ACE

By James on March 29, 2008
1,475 views
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5 out of 5)
Loading ... Loading ...
Categories: Cisco Tags: , , , ,

I was working on an ASA config and ran into an interesting error. I needed to not perform NAT on the traffic from the inside LAN to the DMZ. I configured an access-list:

access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.48.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 10.10.49.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.3.0 255.255.255.0
access-list InsideNoNAT_ACL extended permit ip 10.10.10.0 255.255.255.0 172.31.4.0 255.255.255.0

And then specified to not perform NAT:

nat (inside) 0 access-list InsideNoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0

I then needed to add another line to the InsideNoNAT_ACL, and that is where I received the error.

(config)#access-list InsideNoNAT_ACL permit 10.0.0.0 255.0.0.0 172.31.3.0 255.255.255.0
Unable to download NAT policy for ACE

All this error message is saying is that the new line in the access-list was not added to the active NAT table, but was added to the access-list. Upon doing some searching, I read in several places that a reboot fixed the problem. While this is true, it is not necessary. All that needs to be done is to remove and reapply the nat statement.

(config)#no nat (inside) 0 access-list InsideNoNAT_ACL
(config)#nat (inside) 0 access-list InsideNoNAT_ACL

This rebuilds the NAT rules and applies all rules in the ACL. Much better than a reload!

5 Responses to “Unable to download NAT policy for ACE”

Feed for this Entry Trackback Address View blog reactions
  1. 1 Rob Chee Apr 28th, 2008 at 1:46 pm

    Thanks that helped me

  2. 2 Kjell May 9th, 2008 at 7:23 am

    Thanx!

    I’ve been looking for the error, made by me in the config for hours, not finding anything because there was no error!! Only an very undocumented need to rebuild the NAT rules.

    This saved my day!

  3. 3 Jor-el Jun 17th, 2008 at 7:14 pm

    Great tip! This was driving me nuts. Same identical rules in my nat0 acl for two different networks, yet one network could talk and the other could not.

    I would have never found your fix if I hadn’t in desperation deleted the troublesome rule and readded it, at which time I saw the “Unable to download NAT policy for ACE” error message.

  4. 4 Joel Jul 14th, 2008 at 8:58 am

    1
    Took me ages to stop ignoring the error and Google it.

    Apparently it’s fixed in 8.0.3(6).

  1. 1 ASA: NAT-Probleme - MCSEboard.de MCSE Forum Pingback on Sep 16th, 2008 at 2:33 am

Leave a Reply

« Cisco ASA and ICMP Configurations
Configure SSH Access on an ASA »