04-23-2019 12:39 PM
I am in the middle of migrating a very large Cisco ASA with ver 9.3(3)6 and noticed that the NATs are causing all kinds of issues. As an example, the security policy migration should have created a single rule from a source group to a destination group for each of the ports listed in the ACL's (the Cisco did not have a group for the ports so instead had about 10 ACL's with the same source/destination for each port). Instead of ending up with about 10 rules in the conversion I instead ended up with about 200. The 10 rules I expected are indeed there but for each port in the ACL, there are about 20 additional rules with 10 being the same source/port and the other 10 being the same source/any port and ALL of the extra rules have different destinations than the original ACL.
I have no idea what is happening here but my only thought is to just remove the NAT rules from the ASA config and start over then do the NAT rules 1 at a time by hand (was trying to avoid that as it has almost 800 NAT rules). Is NAT conversion just not working from this version of the ASA?
Let me know if you need additional info as I am sure that description isn't easy to understand.
