Migrating Cisco ASA 9.3 NAT Migration Suggestions

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Migrating Cisco ASA 9.3 NAT Migration Suggestions

L3 Networker

I am in the middle of migrating a very large Cisco ASA with ver 9.3(3)6 and noticed that the NATs are causing all kinds of issues. As an example, the security policy migration should have created a single rule from a source group to a destination group for each of the ports listed in the ACL's (the Cisco did not have a group for the ports so instead had about 10 ACL's with the same source/destination for each port). Instead of ending up with about 10 rules in the conversion I instead ended up with about 200. The 10 rules I expected are indeed there but for each port in the ACL, there are about 20 additional rules with 10 being the same source/port and the other 10 being the same source/any port and ALL of the extra rules have different destinations than the original ACL.


I have no idea what is happening here but my only thought is to just remove the NAT rules from the ASA config and start over then do the NAT rules 1 at a time by hand (was trying to avoid that as it has almost 800 NAT rules). Is NAT conversion just not working from this version of the ASA?


Let me know if you need additional info as I am sure that description isn't easy to understand.


L5 Sessionator

yes if you can share the ASA config by sending to the fwmigrate (at) paloaltonetworks.com that will be helpful

Can I send one over as well? I have one that has both source and destination NATs in a single policy. I converted it using Expedition, but when I go to commit, I get the following error:

  • Validation Error:
  • rulebase -> nat -> rules -> Nat Twice 3 -> source-translation -> static-ip -> bi-directional constraints failed : Bi-directional option not applicable to rule with both source and destination translation
  • rulebase -> nat -> rules -> Nat Twice 3 -> source-translation -> static-ip -> bi-directional is invalid
  • Commit failed

Hi @bkoch709 ,


That messages means your NAT rule "Nat Twice 3" has both source and destination translations and has bi-directional enable, so you will need to review the NAT rule and make the necessary modification, need to separate them to two separate rule, one for source translations, one for destination translations. 


So this would need to be broken out into 2 NATs?

Hi @bkoch709  Please refer to the details below on how to configure NAT policy in PAN-OS for your use case





  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!