Cisco Cisco ASA 5515-X Adaptive Security Appliance - No Payload Encryption Installation Guide

If you have an ACE with an IP address that belongs to an interface, but the corresponding NAT command 
uses the interface keyword to identify the interface IP address, then the migration script cannot match 
the NAT command with the ACE, and it cannot know if the IP address in the ACE is real or mapped.

In this case, the migration script will not migrate the IP address; you will have to manually change the 
IP address to the real IP address. Alternatively, you can change the ACE to use the interface keyword.

For example, pre-migration, outside interface PAT is defined for an inside host:

static (inside,outside) tcp interface 80 10.2.2.2 80

 

You define an access list using the interface IP address, instead of the interface keyword:

access-list outside_access_in permit tcp any host 192.168.1.1 eq 80

access-group outside_access_in in interface outside

When you migrate to 8.3, the access list will not be migrated to the real IP address (10.2.2.2) because 
the static command could not be matched to the access-list command. If you had used the interface 
keyword, then the access list would have migrated correctly to use the real IP address instead of the 
interface keyword.

To fix the access list after migration, change the access list to use the real IP address (10.2.2.2):

access-list outside_access_in permit tcp any host 10.2.2.2 eq 80

Error Message   No ACL was changed as part of Real-ip migration

No access lists needed to be changed.

Error Message   Removing ACL <name>, it has been migrated to one or more ACLs with name format <name_x>, 
example <name_7>

An access list was migrated and resulted in two or more access lists with new names. The old access list was 

removed.

Error Message   Something changed in conversion but not clear what changed.

Internal error condition.

Error Message   Source changed for ingress ACL, can't migrate this ACL.

Internal error condition.