This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Migrating Cisco ASA 9.3 NAT Migration Suggestions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Migrating Cisco ASA 9.3 NAT Migration Suggestions

aporue
L3 Networker

‎04-23-2019 12:39 PM

I am in the middle of migrating a very large Cisco ASA with ver 9.3(3)6 and noticed that the NATs are causing all kinds of issues. As an example, the security policy migration should have created a single rule from a source group to a destination group for each of the ports listed in the ACL's (the Cisco did not have a group for the ports so instead had about 10 ACL's with the same source/destination for each port). Instead of ending up with about 10 rules in the conversion I instead ended up with about 200. The 10 rules I expected are indeed there but for each port in the ACL, there are about 20 additional rules with 10 being the same source/port and the other 10 being the same source/any port and ALL of the extra rules have different destinations than the original ACL.

 

I have no idea what is happening here but my only thought is to just remove the NAT rules from the ASA config and start over then do the NAT rules 1 at a time by hand (was trying to avoid that as it has almost 800 NAT rules). Is NAT conversion just not working from this version of the ASA?

 

Let me know if you need additional info as I am sure that description isn't easy to understand.

1 person had this problem.
0 Likes Likes
5 REPLIES 5

sjanita
L5 Sessionator

‎04-25-2019 09:48 PM

yes if you can share the ASA config by sending to the fwmigrate (at) paloaltonetworks.com that will be helpful

0 Likes Likes

bkoch709
L1 Bithead
In response to sjanita

‎04-19-2021 08:19 AM

Can I send one over as well? I have one that has both source and destination NATs in a single policy. I converted it using Expedition, but when I go to commit, I get the following error:

  • Validation Error:
  • rulebase -> nat -> rules -> Nat Twice 3 -> source-translation -> static-ip -> bi-directional constraints failed : Bi-directional option not applicable to rule with both source and destination translation
  • rulebase -> nat -> rules -> Nat Twice 3 -> source-translation -> static-ip -> bi-directional is invalid
  • Commit failed
0 Likes Likes

lychiang
L6 Presenter
In response to bkoch709

‎04-19-2021 08:23 AM

Hi @bkoch709 ,

 

That messages means your NAT rule "Nat Twice 3" has both source and destination translations and has bi-directional enable, so you will need to review the NAT rule and make the necessary modification, need to separate them to two separate rule, one for source translations, one for destination translations. 

bkoch709
L1 Bithead
In response to lychiang

‎04-19-2021 01:26 PM

vgg-source-dest-nat.JPG

So this would need to be broken out into 2 NATs?

0 Likes Likes

lychiang
L6 Presenter
In response to bkoch709

‎04-19-2021 01:46 PM

Hi @bkoch709  Please refer to the details below on how to configure NAT policy in PAN-OS for your use case

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/nat/configure-nat

 

 

0 Likes Likes
  • 5507 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks