Cisco Cisco ASA 5515-X Adaptive Security Appliance - No Payload Encryption Installation Guide
18
Cisco ASA 5500 Migration to Version 8.3
OL-22176-01
NAT Migration
•
Section 2 (network object NAT (generated) rules)—These rules are assessed according to internal
rules; the order they appear in the configuration does not matter (For more information, see the
Cisco ASA 5500 Series Configuration Guide using ASDM or the Cisco ASA 5500 Series
Configuration Guide using the CLI). For migration purposes, this section includes regular NAT
rules.
rules; the order they appear in the configuration does not matter (For more information, see the
Cisco ASA 5500 Series Configuration Guide using ASDM or the Cisco ASA 5500 Series
Configuration Guide using the CLI). For migration purposes, this section includes regular NAT
rules.
•
Section 3 (twice NAT rules that you specifically want to be evaluated after the network object NAT
rules)—Like section 1, these rules are assessed in the order they appear in the configuration.
However, they are assessed after section 1 and section 2 rules. This section is not used for NAT
migration.
rules)—Like section 1, these rules are assessed in the order they appear in the configuration.
However, they are assessed after section 1 and section 2 rules. This section is not used for NAT
migration.
In the case of overlapping networks (for example, if a regular static NAT rule overlaps with a dynamic
policy NAT rule), the regular static NAT rule will be migrated to section 1 instead of section 2 to preserve
the order of the configuration. For example, the following old configuration has overlapping networks.
In this case, the static command will be migrated to a twice NAT rule in section 1.
policy NAT rule), the regular static NAT rule will be migrated to section 1 instead of section 2 to preserve
the order of the configuration. For example, the following old configuration has overlapping networks.
In this case, the static command will be migrated to a twice NAT rule in section 1.
static (inside,outside) 209.165.202.129 10.1.1.6 netmask 255.255.255.255
access-list NET1 permit ip 10.1.1.0 255.255.255.0 209.165.202.0 255.255.255.0
nat (inside) 100 access-list NET1
NAT Migration Guidelines and Limitations
•
Dynamic identity NAT (the nat 0 command) will not be migrated. See the
. Static identity NAT is treated like any other static command, and is
converted depending on whether it is regular or policy NAT.
•
NAT exemption (the nat 0 access-list command) is migrated differently depending on the release to
which you are upgrading. See the
which you are upgrading. See the
for more information.
•
When upgrading to 8.4(2) from 8.3(1), 8.3(2), or 8.4(1), migration for identity NAT will occur to
preserve existing functionality. See the
preserve existing functionality. See the
for more information.
•
Regular NAT commands with the dns option will be migrated. The dns option in static PAT and
policy NAT commands will be ignored.
policy NAT commands will be ignored.
•
Connection Settings in old NAT commands—Options such as conn-max, emb-limit,
norandomseq, or nailed will be moved to service policies.
norandomseq, or nailed will be moved to service policies.
The following naming conventions are used for the new service policies:
–
class-map—class-conn-param-protocol-n
–
access-list—acl-conn-param-protocol-n
–
policy-map—policy-conn-param-interface
For other naming conventions related to NAT migration, see the
.
Sample NAT Migration from 8.3 and 8.4 to 8.4(2)
If you are already running 8.3(1), 8.3(2), or 8.4(2). then to preserve existing functionality, all identity
NAT statements are migrated to use the following new keywords:
NAT statements are migrated to use the following new keywords:
•
no-proxy-arp
•
route-lookup (routed firewall mode only)