On an ASA 5520 with Cisco Adaptive Security Appliance Software Version 8.0(3), I had set up an SSL VPN. It was working okay as it was set up for dhcp to an existing subnet, which I assume was proxy-arping for its clients. Attempts to access other subnets using split tunneling was producing “No translation group found for ..” errors. I tried every possible combination of nat exceptions, which believe me was a lot. ASDM sometimes would throw errors when adding them and when I’d do this by hand sometimes I’d get an “Unable to download NAT policy for ACE” error. Frustrated, I removed almost everything I did and rebooted the damn thing.
This fixed the problem. Seriously, the Cisco needed a reboot. It wasn’t a config thing, as I saved just before the reboot. Perturbing. Now I’m using an address pool, and I’ve gotta go back and setup routes and our disappointly static routed network to the new pool.
CSCsl46310 Bug Details
ASA error: Unable to download NAT policy for ACE with nat 0 ACL
On an ASA5510, when adding a line to a Nat 0 ACL
you may receive the following error:
“Unable to download NAT policy for ACE”
The ASA will add the command to the configuration but
but the line that was added will not take effect.
Workaround:
1) -add the new ACE to the NAT exempt ACL
– save the config
– reload
After the reload the ASA uses the new ACL
2) reapply (remove and add again) the access-list from nat 0 and then is working
Hope this helps!