Workaround: BUG in ASA IOS 8.4(4) and 8.4(5) adding network-object-nat
When upgrading from prior IOS 8.4 to 8.4(4) and 8.4(5), the configuration will be converted for the new IOS without any problems. But when you’re creating a new Network Object NAT rule, you’ll get a nasty error:
ERROR: NAT Policy is not downloaded
There’s no solution for this error at this point (january 2013), Cisco TAC mentioned me that the development team is still working on this issue but it’s hard for them to reproduce this error in their lab.
But.. there is a workaround available!
Let’s say, you’re creating this NAT rule:
FW001(config)# object network myserver
FW001(config-network-object)# nat (inside,outside) static 1.1.1.1
The following error appears and the NAT rule is not applied:
ERROR: NAT Policy is not downloaded
Untill Cisco creates a fix for this, use the following procedure:
- Backup the configuration of the ASA firewall
- Copy/paste the NAT rules of the configuration to a notepad
- Issue the “clear config nat” command
- Copy/paste the NAT rules from the notepad to the ASA
- (Re)add the network object nat rule
Keep in mind: the “clear config nat” command will delete all the configured NAT rules! You’ll need a backup of the NAT configuration the restore the NAT rules!
Use this procedure at your own risk.
Always hate it when something should work, but doesn’t. Thanks for the info.
Hi, I’ve just tried using a twice nat statement to reflect the same type of configuration as static nat, this appears to work as expected
Works
nat (inside,outside) source static
Doesn’t work
object network
nat (inside,outside) static
Issue is present in 9.0, too 🙁
Did you upgrade from 8.x or started with a clean config?
In failover setup you can switch to secondary ASA, reload primary and switch back. It works for me.
Thanks, this came in handy.