Workaround: BUG in ASA IOS 8.4(4) and 8.4(5) adding network-object-nat

When upgrading from prior IOS 8.4 to 8.4(4) and 8.4(5), the configuration will be converted for the new IOS without any problems. But when you’re creating a new Network Object NAT rule, you’ll get a nasty error:

ERROR: NAT Policy is not downloaded

There’s no solution for this error at this point (january 2013), Cisco TAC mentioned me that the development team is still working on this issue but it’s hard for them to reproduce this error in their lab.
But.. there is a workaround available!

Let’s say, you’re creating this NAT rule:

FW001(config)# object network myserver
FW001(config-network-object)# nat (inside,outside) static

The following error appears and the NAT rule is not applied:

ERROR: NAT Policy is not downloaded

Untill Cisco creates a fix for this, use the following procedure:

  1. Backup the configuration of the ASA firewall
  2. Copy/paste the NAT rules of the configuration to a notepad
  3. Issue the “clear config nat” command
  4. Copy/paste the NAT rules from the notepad to the ASA
  5. (Re)add the network object nat rule

Keep in mind: the “clear config nat” command will delete all the configured NAT rules! You’ll need a backup of the NAT configuration the restore the NAT rules!
Use this procedure at your own risk.


Leave a Reply

Your email address will not be published.