Migrating Cisco ASA 9.3 NAT Migration Suggestions


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L3 Networker

Migrating Cisco ASA 9.3 NAT Migration Suggestions

I am in the middle of migrating a very large Cisco ASA with ver 9.3(3)6 and noticed that the NATs are causing all kinds of issues. As an example, the security policy migration should have created a single rule from a source group to a destination group for each of the ports listed in the ACL's (the Cisco did not have a group for the ports so instead had about 10 ACL's with the same source/destination for each port). Instead of ending up with about 10 rules in the conversion I instead ended up with about 200. The 10 rules I expected are indeed there but for each port in the ACL, there are about 20 additional rules with 10 being the same source/port and the other 10 being the same source/any port and ALL of the extra rules have different destinations than the original ACL.


I have no idea what is happening here but my only thought is to just remove the NAT rules from the ASA config and start over then do the NAT rules 1 at a time by hand (was trying to avoid that as it has almost 800 NAT rules). Is NAT conversion just not working from this version of the ASA?


Let me know if you need additional info as I am sure that description isn't easy to understand.

L4 Transporter

yes if you can share the ASA config by sending to the fwmigrate (at) paloaltonetworks.com that will be helpful

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!