Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can I remove nat0 and identity nat while upgrading from pix 6.3(5) to ASA 8.6?


I have an end of life PIX 525 running 6.3(5). I want to replace it with ASA on version8.6.

I have converted static and dynamic nat as required by version8.6. There are nat0 on three interface and more than a 100 static identity nat statements.

Can I remove nat0 and identity nat for the (not include nat0 and identity nat) new 8.6 version and just include dynamic and static nat?

This will make my nat configuraition very small as compared to what it is right now on version 6.3(5) because of nat control.

Can it cause any potential problems when I cut over?


Super Bronze

Re: Can I remove nat0 and identity nat while upgrading from pix


Generally the Static Identity NAT configurations can be left off the configuration as these were usually configured between local networks firewall interfaces to enable communication between them.

NAT0 however that is used for VPN purposes for example usually require the corresponding NAT configuration in the new format also.

This is for the same reason as in the older software versions. If you dont configure NAT0 for the traffic between LAN and VPN networks then the traffic will match the Dynamic rules that you have for Internet traffic and the connections will therefore fail.

- Jouni

CreatePlease login to create content