Cisco Cisco ASA 5540 Adaptive Security Appliance Guia De Resolução De Problemas

object network obj−192.168.1.0

 nat (inside,outside) dynamic interface

When this ASA is upgraded to 8.4(4) or higher, this NAT command will not be present in the ASA's
running−config and this error will be printed on the ASA's console:

ERROR: 192.168.1.0−192.168.1.255 overlaps with inside standby interface

   address

ERROR: NAT Policy is not downloaded

As a result, traffic between subnets 192.168.1.0/24 and 10.10.10.0/24 will no longer flow through the VPN
tunnel.

There are two possible workarounds for this condition:

Make the NAT command as specific as possible before upgrading to 8.4(4) so the mapped interface is
not "any". For example, the above NAT command can be changed to the interface through which the
Remote VPN subnet is reachable (named "outside" in the above scenario):

nat (inside,outside) source static obj−192.168.1.0 obj−192.168.1.0 destination

   static obj−10.10.10.0 obj−10.10.10.0

• 

If the above workaround is not possible, complete these steps:

When the ASA is running 8.4(4) or higher, remove the standby IP address assigned to the
interface.

1. 

Apply the NAT command.

2. 

Re−apply the standby IP address on the interface.

3. 

For example:

ciscoasa(config)# interface Ethernet0/0

ciscoasa(config−if)# ip address 192.168.1.1 255.255.255.0

ciscoasa(config−if)# exit

ciscoasa(config)# nat (inside,any) 1 source static obj−192.168.1.0

ciscoasa(config)# interface Ethernet0/0

ciscoasa(config−if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

• 

• 

Contacts & Feedback | Help | Site Map
© 2014 − 2015 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of
Cisco Systems, Inc.

Updated: Aug 13, 2012

Document ID: 113640