Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ERROR: This syntax of nat command has been deprecated.(NAT)


i face a [roblem regarding the NAT configuration when i gave command 


its gives error

ciscoasa(config)# nat-control
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.


please resolve this issue  and i also send the sh version below



ciscoasa(config)# sh version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"

ciscoasa up 17 mins 53 secs

Hardware:   ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB

 0: Ext: GigabitEthernet0    : address is 00ab.cd92.5200, irq 0
 1: Ext: GigabitEthernet1    : address is 00ab.cd92.5201, irq 0
 2: Ext: GigabitEthernet2    : address is 0000.ab80.9802, irq 0
 3: Ext: GigabitEthernet3    : address is 0000.ab1e.5c03, irq 0
 4: Ext: GigabitEthernet4    : address is 0000.ab78.3a04, irq 0
 5: Ext: GigabitEthernet5    : address is 0000.ab58.eb05, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
VPN-DES                           : Disabled       perpetual
VPN-3DES-AES                      : Disabled       perpetual
Security Contexts                 : 0              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 0              perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by enable_15 at 07:08:48.239 UTC Fri Oct 17 2014


Thanks and Regards



Super Bronze

Hi, This command was only



This command was only supported in software levels 8.2 and below. Since software level 8.3 the ASAs have had a new NAT configuration format and in that instance also this command has been removed.


So in short you can not use this command anymore because you are already running a newer software level.


- Jouni

New Member

can you send me the new

can you send me the new configuration of firewall please?

Super Bronze

Hi, I am not sure what you



I am not sure what you mean? If you mean a replacing command for this then there is none. The whole concept of NAT Control has been removed.


If you mean information about the new configuration format then you should have a look at the ASA Configurations Guide and Command Reference that can be found online.


You can read some about the new NAT configuration format from a document I wrote in 2013 that can be found here


You can also check this document which provides examples comparing the same NAT configuration in the old format and in the new format


- Jouni

New Member

no i dont want to replace

no i dont want to replace with the old nat i just have the new firewall and want to trffice from outside to dmz and dmz to inside

Super Bronze

Hi, Your original question



Your original question was with regards to the ERROR message that ASA gave. This was due to using an old command that is not supported in your ASAs software.


For us to be able to help you at all with any possible configurations or configurations task we would need specific information what you are attempting to do. The above explanation does not tell me anything.


- Jouni

New Member

Thanks and i attached a

Thanks and i attached a diagram related to this.

i want to from outside to dmz and also allow lan user to use internet throught the proxy server that exist in DMZ and also use microsoft outlook.

Cisco Employee

Hi,Are you using the DMZ


Are you using the DMZ proxy server on  all the clients manually so that they send the traffic there ?

If yes , i think you only need a Dynamic NAT on the ASA device from DMZ to the Outside.

For communication between DMZ and Outside , you would need a Static NAT on the ASA device.

For communication between DMZ and inside , you shouldn't need any NAT statements.

You can refer to this document for more details:-

Let me know if you have any queries.

Thanks and Regards,

Vibhor Amrodia

New Member

Thanks a lot and i attached a

Thanks a lot and i attached a diagram here


need to pass through traffic from outside to inside and inside to outside.