OPERATIONAL DEFECT DATABASE
...
...
There are two dynamic NAT rules configured, in NAT policy. Both rules are configured with the same real source and mapped source objects. and if only one of the rules is modified from dynamic NAT rule to dynamic PAT. On FMC GUI the changes get saved (without any warning/error). But the deployment will fail and the following error is noticed on the FMC GUI transcript. As an effect of this, the current NAT rule got removed from FTD. Which can result in unintended consequences. The validation check needs to be performed on FMC. So that on the FMC GUI itself an error will be shown, before saving such NAT rule modifications. ========= CLI APPLY ========= FMC >> no nat (inside,outside) source dynamic obj_real_source obj_mapped_source destination static obj_dest_01 obj_dest_01 FMC >> nat (inside,outside) 2 source dynamic obj_real_source pat-pool obj_mapped_source round-robin destination static obj_dest_01 obj_dest_01 SecondaryFTD >> [error] : ERROR: Same mapped parameter cannot be used to do both NAT and PAT. ==============================================================================
1. Two or multiple dynamic NAT rules (configured with the same mapped parameter) already configured and serving the production network. and 2. One of the rules is modified to dynamic PAT save the nat policy and deploy.
1. Manually roll back the changes of NAT policy on FMC GUI and deploy again. So that removed NAT will be restored back again. or 2. Identify the dynamic NAT rule that using the same mapped object as the modified PAT rule, and modify that rule also as to dynamic PAT and deploy.
In this case, second dynamic NAT rule is modified to dynamic PAT ---------------------------------------- Nat rules before deployment: ---------------------------------------- firepower# sh run nat nat (inside,outside) source dynamic obj_real_source obj_mapped_source destination static ip_192.168.102.48 ip_192.168.102.48 nat (inside,outside) source dynamic obj_real_source obj_mapped_source destination static obj_dest_01 obj_dest_01 nat (inside,outside) source static obj_real_source 192.168.12.14 destination static test_NAT test_NAT ------------------------------------ Nat rules after deployment failure: ------------------------------------ firepower# sh run nat nat (inside,outside) source dynamic obj_real_source obj_mapped_source destination static ip_192.168.102.48 ip_192.168.102.48 nat (inside,outside) source static obj_real_source 192.168.12.14 destination static test_NAT test_NAT
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
