I have new ASA 5545-X firewall with 9.1.2 software (default) and I want to replace old 5540 with current configuration on version 8.2.4
I copied the current asa 5540 config (old ver) to new asa 5545-x and start with the current configuration (copy flash:old_asa_conf running-config) and most of the commands have been migrated except the NAT configuration.
It is hard to manually change the NAT configuration as old asa config having more than 200 plus nat types configured.
Just want to know is this a normal behavior, why it didnt migrat the NAT configuration.?, do I have to manually configure the all NAT types configured in old asa ver.
We can't even downgrade to 8.3 or 8.4 as new asa 5545-x supports 8.6.x and above. In that case will 8.6 code will automatically migrate the NAT config on old config with ver 8.2.4.?
Appreciate if someone can advise me this as it will be hard to configure all NAT configuration to new version.
Going up to 8.3 (and 8.4 was a little different also) Cisco changed the NAT configuration.
I would recommend the following:
Install 8.4 onto your 5540 and do an upgrade - when it does an upgrade it will do it's best to upgrade the NAT's. It will tell you which ones you don't get auto converted and you will need to do those manually.
Additionally there is a partner-level tool that converts most rules from 8.2 to 9.x as well, you might want to reach out to whomever sold it to you and see if they would upgrade it for you. Don't be surprised if they a: don't know about it, or b: want to charge you for it. I say this because usually it's only about 20-30% better than just upgrading it yourself.
Also - remember when you're converting your NAT's that they still perform Top down, so make sure they're in the proper order once you rebuild them.
I work for a partner and have done a number of them and quite honestly, I usually just put one ASDM on the left and the new one on the right and manually rebuild them because it seems to take less time that way.
They recently changed the migration tool - the earlier version did include the ability to migrate Cisco configurations from 8.2.
I suppose they must have been having issues with that function.
Overall I agree with pkillurcco and others that rebuilding them manually both gives you a better understanding of what you have and allows you to optimize them for the new syntax. It does require some more up front investment of time but it's worth it in the longer term.
Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate
I would appreciate if you can advise me what exactly cause the above error. As per old ver config, when packet going from given source to the destination IP and the ports, it should do the PAT on outside interface. If I simply nat the source/destination IP to the interface it would allow to access rest of the ports as well.I have such many ACLs used for policy NAT with many interfaces in the old config and its working fine.
It would be better if I can find a tool to convert them as its going to be hectic for converting them manually and prone to be more error. If not I just need how to configure dynamic policy nat according to ACLs with destination ports as I given above.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...