Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT migration on 8.2.4 to 9.1.2

Hi,

I have new ASA 5545-X firewall with 9.1.2 software (default) and I want to replace old 5540 with current configuration on version 8.2.4

I copied the current asa 5540 config (old ver) to new asa 5545-x and start with the current configuration (copy flash:old_asa_conf running-config) and most of the commands have been migrated except the NAT configuration.

It is hard to manually change the NAT configuration as old asa config having more than 200 plus nat types configured.

Just want to know is this a normal behavior, why it didnt migrat the NAT configuration.?, do I have to manually configure the all NAT types configured in old asa ver. 

We can't even downgrade to 8.3 or 8.4 as new asa 5545-x supports 8.6.x and above. In that case will 8.6 code will automatically migrate the NAT config on old config with ver 8.2.4.?

Appreciate if someone can advise me this as it will be hard to configure all NAT configuration to new version. 

thanks..

 

 

 

 

 

7 REPLIES
New Member

Going up to 8.3 (and 8.4 was

Going up to 8.3 (and 8.4 was a little different also) Cisco changed the NAT configuration.

 

I would recommend the following:

Install 8.4 onto your 5540 and do an upgrade - when it does an upgrade it will do it's best to upgrade the NAT's.  It will tell you which ones you don't get auto converted and you will need to do those manually.

Additionally there is a partner-level tool that converts most rules from 8.2 to 9.x as well, you might want to reach out to whomever sold it to you and see if they would upgrade it for you.  Don't be surprised if they a: don't know about it, or b: want to charge you for it.  I say this because usually it's only about 20-30% better than just upgrading it yourself.

Also - remember when you're converting your NAT's that they still perform Top down, so make sure they're in the proper order once you rebuild them.

I work for a partner and have done a number of them and quite honestly, I usually just put one ASDM on the left and the new one on the right and manually rebuild them because it seems to take less time that way.

New Member

Hi pkillurcco,Many thanks for

Hi pkillurcco,

Many thanks for your quick response and really appreciated.

Actually 5540 is currently on production and we can do anything before the migration window, but it was really a good option that I might think do over  lab environment.

Could you please specify more on the partner level tool that you suggested so that i might go and find more about that.?

Once again many thanks for your time and reply.

 

 

 

 

New Member

Know what?  I just googled

Know what?  I just googled the converter tool and saw that tunnels-up has a web widget to do just this:  http://www.tunnelsup.com/nat-converter

Might get you what you want faster if everything else has been converted already.

However, you could also take into consideration whether or not you're using object and object groups as well.

The cisco firewall upgrade tool is at https://fwmig.cisco.com but you have to gain access to it.

New Member

Hi pkillurcco,Once again many

Hi pkillurcco,

Once again many thanks for your reply and the wonderful tools you suggested. I tried 1st with tunnels-up and seems it will be helpful to cerntain extend.

meanwhile I have requested the access for the cisco tool and it forward for Admin tool approval and hope I will get the access soon.

Thanks a lot for your valuable suggestion and its going to save my time a lot..:)

really appreciated.. I will keep you update the status with both options..

 

 

New Member

Hi pkillurcco,,I tried with

Hi pkillurcco,,

I tried with the cisco tool ( https://fwmig.cisco.com) but it allows to conver Juniper or Checkpoint firewall config to cisco firewall. Not the cisco firewall from one ver to other ver.

 

anyway thanks for your information

 

Hall of Fame Super Silver

They recently changed the

They recently changed the migration tool - the earlier version did include the ability to migrate Cisco configurations from 8.2.

I suppose they must have been having issues with that function.

Overall I agree with pkillurcco and others that rebuilding them manually both gives you a better understanding of what you have and allows you to optimize them for the new syntax. It does require some more up front investment of time but it's worth it in the longer term.

New Member

Hi pkillurcco and Marvin

Hi pkillurcco and Marvin,


Thanks for you for your time on this and interest. 

I was trying with http://www.tunnelsup.com/nat-converter and it helped me to some extend. however it can not convert the dynamic policy nat where you have match with ACL with destination port. 

Then I did convert the following NAT by manually, however when I tried with packet tracer it gave me xlate error. 

 

Here is the original policy nat.

access-list inside_nat_outbound extended permit tcp object-group LAN-SUBNETS host 89.211.xx.yy object-group http-https

global (outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound

Here is the new nat once converted manualy,

nat (inside,outside) source dynamic LAN-SUBNETS interface destination static 89.211.xx.yy 89.211.xx.yy service obj_http obj_http

below is the packet tracer output which giving the xlate error.

xxx-xx-FW01# packet-tracer input inside tcp 10.130.100.1 80 89.211.xx.yy 80 detailed 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

I would appreciate if you can advise me what exactly cause the above error. As per old ver config, when packet going from given source to the destination IP and the ports, it should do the PAT on outside interface. If I simply nat the source/destination IP to the interface it would allow to access rest of the ports as well.I have such many ACLs used for policy NAT with many interfaces in the old config and its working fine.

It would be better if I can find a tool to convert them as its going to be hectic for converting them manually and prone to be more error. If not I just need how to configure dynamic policy nat according to ACLs with destination ports as I given above.

 

thanks in advance.

 

547
Views
0
Helpful
7
Replies