Unable to download NAT policy for ACE

On an ASA 5520 with Cisco Adaptive Security Appliance Software Version 8.0(3), I had set up an SSL VPN. It was working okay as it was set up for dhcp to an existing subnet, which I assume was proxy-arping for its clients. Attempts to access other subnets using split tunneling was producing “No translation group found for ..” errors. I tried every possible combination of nat exceptions, which believe me was a lot. ASDM sometimes would throw errors when adding them and when I’d do this by hand sometimes I’d get an “Unable to download NAT policy for ACE” error. Frustrated, I removed almost everything I did and rebooted the damn thing.

This fixed the problem. Seriously, the Cisco needed a reboot. It wasn’t a config thing, as I saved just before the reboot. Perturbing. Now I’m using an address pool, and I’ve gotta go back and setup routes and our disappointly static routed network to the new pool.

1 thought on “Unable to download NAT policy for ACE

  1. Rothko

    CSCsl46310 Bug Details
    ASA error: Unable to download NAT policy for ACE with nat 0 ACL
    On an ASA5510, when adding a line to a Nat 0 ACL
    you may receive the following error:

    “Unable to download NAT policy for ACE”

    The ASA will add the command to the configuration but
    but the line that was added will not take effect.

    Workaround:
    1) -add the new ACE to the NAT exempt ACL
    – save the config
    – reload
    After the reload the ASA uses the new ACL

    2) reapply (remove and add again) the access-list from nat 0 and then is working

    Hope this helps!

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.