Cisco Cisco ASA 5515-X Adaptive Security Appliance - No Payload Encryption Installation Guide
17
Cisco ASA 5500 Migration to Version 8.3
OL-22176-01
NAT Migration
Supporting Commands for NAT
To achieve migration to the new NAT commands, additional commands are created as shown in
Table 4
Supporting Commands for NAT
Generated Commands
Description
object network
For each network object NAT command, an object network command is created to represent the
real IP address that you want to translate; the new nat command is a subcommand under the object
network command. Similarly, object network commands are created for the mapped addresses
inside the new nat commands when an inline address (one that is entered directly in the command)
is not feasible.
real IP address that you want to translate; the new nat command is a subcommand under the object
network command. Similarly, object network commands are created for the mapped addresses
inside the new nat commands when an inline address (one that is entered directly in the command)
is not feasible.
For twice NAT, which can use only object network commands to identify IP addresses, and not
inline addresses or access-list commands, IP addresses from your old configuration are converted
into object network commands.
inline addresses or access-list commands, IP addresses from your old configuration are converted
into object network commands.
The name commands that are used in the NAT configuration are automatically migrated to the new
object network commands; the name commands remain in the configuration for use with other
features that do not yet support object network commands.
object network commands; the name commands remain in the configuration for use with other
features that do not yet support object network commands.
object service
For twice NAT, object service commands are created for any inline services or services identified
in an access-list command that was formerly used in policy NAT.
in an access-list command that was formerly used in policy NAT.
object-group network
In network object NAT, for multiple mapped addresses, an object-group network command is
created that contains multiple object network commands.
created that contains multiple object network commands.
See the
for more information about network
and service objects, including naming conventions for these generated commands.
ASDM
ASDM has supported named network objects for a number of releases; now, the platform has the
commands to properly support them as well. In addition to showing all named network objects in the
configuration, ASDM automatically creates objects for any IP addresses used in the configuration; these
auto-created objects are identified by the IP address, and are not present as objects in the platform
configuration. If you assign a name to one of these objects, then ASDM adds the named network object
to the platform configuration.
commands to properly support them as well. In addition to showing all named network objects in the
configuration, ASDM automatically creates objects for any IP addresses used in the configuration; these
auto-created objects are identified by the IP address, and are not present as objects in the platform
configuration. If you assign a name to one of these objects, then ASDM adds the named network object
to the platform configuration.
Note
ASDM no longer shows any objects derived from the name command. Previously, you might have used
named objects derived from the name command in ASDM. If the name command IP address was not
migrated (see the
named objects derived from the name command in ASDM. If the name command IP address was not
migrated (see the
), then these objects are
replaced by auto-created objects identified by an IP address.
Preserving the Order of NAT Rules
In the old NAT configuration, the order that NAT commands were assessed depended on the type of NAT,
and in some cases, the order in which the commands appeared in the configuration. The new NAT order
uses a table with three sections:
and in some cases, the order in which the commands appeared in the configuration. The new NAT order
uses a table with three sections:
•
Section 1 (twice NAT rules)—These rules are assessed based on the order they appear in the
configuration. For migration purposes, this section includes migrated policy NAT rules.
configuration. For migration purposes, this section includes migrated policy NAT rules.