Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Migrating from FWSM to ASA

I'm currently using an FWSM and we are migrating to the ASA with 9.1 code.

The nat is WAY different and I have some questions:

1)  To do a PAT to the outside, is it just

object network TEST123

subnet x.x.x.0

nat (inside,outside) dynamic <external ip address/32>

2) To do NAT between two internal addresses:

object network TEST123

subnet x.x.x.0

object network TEST456

subnet y.y.y.0

object-group network INTERNAL

network object obj TEST123

network object obj  TEST456

nat (inside,dmz) source static INTERNAL INTERNAL destination z.z.z.0 net-to-net no-proxy-arp

3) To do Static NAT to outside

object network WEBSERVER1

host z.z.z.z

nat (dmz,outside) static <External IP of host>

Then to allow access to webserver

access-list out_in extended permit tcp any host z.z.z.z eq www

Any help would be appreciated..!!!  Thanks in advance

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....

Hall of Fame Super Blue

Migrating from FWSM to ASA

I wish Cisco would've NEVER changed this part of the IOS.. The new way is crappy and confusing....

I know exactly how you feel

Coming from an FWSM/pre 8.3 pix/ASA background i am still playing catch up. What i would say is that the new way actually allows far more flexibility in terms of what you can do with NAT but it does take some getting used to.

I have added a link to a really good document for 8.3+ NAT written by one of the firewall experts. It is worth a read and it should help with your questions. The pictures which can be downloaded separately give examples of all the common scenarios you would need but i would say it is worth reading the entire document -


Community Member

Re: Migrating from FWSM to ASA

Thanks.... This helps....  

Looks like I'm on the right track...

The issue was figuring out the Subnet definition in the nat (was it static or dynamic)... Looks like it's static between the internal interfaces....

The doc doesn't mention the "no-proxy-arp" command arg even though the software prompts you and claims routing errors if you don't use it...

Can't wait until Cisco goes back to the old way - 5 years from now... LOL!!!

Thanks again....

CreatePlease to create content