topic Re: Migrating Cisco ASA 9.3 NAT Migration Suggestions in Expedition Discussions

Migrating Cisco ASA 9.3 NAT Migration Suggestions

aporue — Tue, 23 Apr 2019 19:39:21 GMT

I am in the middle of migrating a very large Cisco ASA with ver 9.3(3)6 and noticed that the NATs are causing all kinds of issues. As an example, the security policy migration should have created a single rule from a source group to a destination group for each of the ports listed in the ACL's (the Cisco did not have a group for the ports so instead had about 10 ACL's with the same source/destination for each port). Instead of ending up with about 10 rules in the conversion I instead ended up with about 200. The 10 rules I expected are indeed there but for each port in the ACL, there are about 20 additional rules with 10 being the same source/port and the other 10 being the same source/any port and ALL of the extra rules have different destinations than the original ACL.

I have no idea what is happening here but my only thought is to just remove the NAT rules from the ASA config and start over then do the NAT rules 1 at a time by hand (was trying to avoid that as it has almost 800 NAT rules). Is NAT conversion just not working from this version of the ASA?

Let me know if you need additional info as I am sure that description isn't easy to understand.

Re: Migrating Cisco ASA 9.3 NAT Migration Suggestions

sjanita — Fri, 26 Apr 2019 04:48:43 GMT

yes if you can share the ASA config by sending to the fwmigrate (at) paloaltonetworks.com that will be helpful

Re: Migrating Cisco ASA 9.3 NAT Migration Suggestions

bkoch709 — Mon, 19 Apr 2021 15:19:26 GMT

Can I send one over as well? I have one that has both source and destination NATs in a single policy. I converted it using Expedition, but when I go to commit, I get the following error:

Validation Error:
rulebase -> nat -> rules -> Nat Twice 3 -> source-translation -> static-ip -> bi-directional constraints failed : Bi-directional option not applicable to rule with both source and destination translation
rulebase -> nat -> rules -> Nat Twice 3 -> source-translation -> static-ip -> bi-directional is invalid
Commit failed

Re: Migrating Cisco ASA 9.3 NAT Migration Suggestions

lychiang — Mon, 19 Apr 2021 15:23:21 GMT

Hi @bkoch709 ,

That messages means your NAT rule "Nat Twice 3" has both source and destination translations and has bi-directional enable, so you will need to review the NAT rule and make the necessary modification, need to separate them to two separate rule, one for source translations, one for destination translations.

Re: Migrating Cisco ASA 9.3 NAT Migration Suggestions

bkoch709 — Mon, 19 Apr 2021 20:26:56 GMT

So this would need to be broken out into 2 NATs?

Re: Migrating Cisco ASA 9.3 NAT Migration Suggestions

lychiang — Mon, 19 Apr 2021 20:46:25 GMT

Hi @bkoch709 Please refer to the details below on how to configure NAT policy in PAN-OS for your use case

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/configure-nat