command replacement on ASA IOS 8.3

Unanswered Question
Sep 3rd, 2010
User Badges:

Hi all,

how can i replace in 8.3 a NAT identity like:

nat (outside) 0 0 0

nat (inside) 0 0 0

and also

established tcp 0 4000 permitto tcp 4000 permitfrom tcp 1024-65535

tnx a lot for any answer


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Sat, 09/04/2010 - 03:16
User Badges:
  • Cisco Employee,


All the connection connection limitation have been moved to one place - MPF. No longer can you set additional setting on nat rules.

For established,

8.3 command reference still gives you that option - if the command is not there or doesn't work properly well let me know and we'll see.

For identity NAT, not sure what's the point of those would be...  nat-control has been deprecated.

But the recommendation goes:

Error Message    Identity-NAT was not migrated. If required, an appropriate bypass NAT rule needs to be 

Explanation   Identity NAT not migrated. Identity NAT (the nat 0 command) is not migrated; also a nat-control command  on that interface is not migrated.

Recommended Action   Manually add a new Identity NAT rule using a static NAT command (either object or twice NAT).


Old Configuration

nat (inside) 0



Jennifer Halim Sat, 09/04/2010 - 03:17
User Badges:
  • Cisco Employee,

Are you trying to perform NAT exemption for traffic through the ASA based on the following 2 NAT statements:

nat (outside) 0 0 0

nat (inside) 0 0 0

If you are, there is no need to configure any NAT statements if there isn't any other NAT statements already configured.

For the "established" command, it is still the same command in version 8.3:


This Discussion