https://community.cisco.com/t5/network-security/startup-config-error-after-upgrading-to-asa-from-pix/m-p/2203537#M356782 <P>Hey guys.&nbsp; I get the following startup-config errors when reloading our ASA.&nbsp; A pix-&gt;asa conversion was just done on it.&nbsp; The ASA is currently running 8.2(5), and I am trying to get ready to update it to the most stable release, and wanted to make sure all my ducks are in a row.&nbsp; What is going on with the "will be identity translated for outbound"? This is part of the VPN configuration, and I understand nat0 is saying to not nat it.&nbsp; Is this something that I should be worried about?&nbsp; The ASA is not in production currently.</P><P></P><P>Let me know if you need further information</P><P></P><P>Thanks,</P><P></P><P></P><P>.........nat 0 10.37.0.116 will be identity translated for outbound</P><P>*** Output from config line 406, "nat (inside) 0 10.37.0.1..."</P><P>nat 0 xx.xx.xx.xx (PUBLIC IP) will be identity translated for outbound</P><P>*** Output from config line 431, "nat (inside) 0 xx.xx.xx..."</P><P>.........</P><P></P><P>Line 406</P><P>nat (inside) 0 10.37.0.116 255.255.255.255</P><P>Line 431</P><P>nat (inside) 0 xx.xx.xx.xx (PUBLIC IP) 255.255.255.255</P><P></P><P>Corresponding global</P><P>nat (outside) 0 access-list outside_inbound_nat0_acl outside</P><P>nat (inside) 0 access-list inside_outbound_nat0_acl</P><P></P><P>ACL</P><P>access-list outside_inbound_nat0_acl extended permit ip 172.16.16.0 255.255.255.0 any</P><P>access-list inside_outbound_nat0_acl extended permit ip any 172.16.16.0 255.255.255.0</P><P>access-list inside_outbound_nat0_acl extended permit ip 10.37.0.0 255.255.0.0 172.16.16.0 255.255.255.0</P><P>access-list inside_outbound_nat0_acl extended permit ip 172.31.0.0 255.255.0.0 172.16.16.0 255.255.255.0</P> Tue, 12 Mar 2019 00:59:22 GMT mark.kimzey 2019-03-12T00:59:22Z https://community.cisco.com/t5/network-security/startup-config-error-after-upgrading-to-asa-from-pix/m-p/2203537#M356782 <P>Hey guys.&nbsp; I get the following startup-config errors when reloading our ASA.&nbsp; A pix-&gt;asa conversion was just done on it.&nbsp; The ASA is currently running 8.2(5), and I am trying to get ready to update it to the most stable release, and wanted to make sure all my ducks are in a row.&nbsp; What is going on with the "will be identity translated for outbound"? This is part of the VPN configuration, and I understand nat0 is saying to not nat it.&nbsp; Is this something that I should be worried about?&nbsp; The ASA is not in production currently.</P><P></P><P>Let me know if you need further information</P><P></P><P>Thanks,</P><P></P><P></P><P>.........nat 0 10.37.0.116 will be identity translated for outbound</P><P>*** Output from config line 406, "nat (inside) 0 10.37.0.1..."</P><P>nat 0 xx.xx.xx.xx (PUBLIC IP) will be identity translated for outbound</P><P>*** Output from config line 431, "nat (inside) 0 xx.xx.xx..."</P><P>.........</P><P></P><P>Line 406</P><P>nat (inside) 0 10.37.0.116 255.255.255.255</P><P>Line 431</P><P>nat (inside) 0 xx.xx.xx.xx (PUBLIC IP) 255.255.255.255</P><P></P><P>Corresponding global</P><P>nat (outside) 0 access-list outside_inbound_nat0_acl outside</P><P>nat (inside) 0 access-list inside_outbound_nat0_acl</P><P></P><P>ACL</P><P>access-list outside_inbound_nat0_acl extended permit ip 172.16.16.0 255.255.255.0 any</P><P>access-list inside_outbound_nat0_acl extended permit ip any 172.16.16.0 255.255.255.0</P><P>access-list inside_outbound_nat0_acl extended permit ip 10.37.0.0 255.255.0.0 172.16.16.0 255.255.255.0</P><P>access-list inside_outbound_nat0_acl extended permit ip 172.31.0.0 255.255.0.0 172.16.16.0 255.255.255.0</P> Tue, 12 Mar 2019 00:59:22 GMT https://community.cisco.com/t5/network-security/startup-config-error-after-upgrading-to-asa-from-pix/m-p/2203537#M356782 mark.kimzey 2019-03-12T00:59:22Z https://community.cisco.com/t5/network-security/startup-config-error-after-upgrading-to-asa-from-pix/m-p/2203538#M356783 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I would imagine that there is no problem as the firewall has not given any kind of error message.</P><P></P><P>I do personally wonder sometimes why is it so (atleast in the 8.2 softares etc) that the firewall shows a message on the CLI when you are for example configuring a "global" / "nat" command pair.</P><P></P><P>I wonder if this falls into the same category.</P><P></P><P>The configuration format for NAT has stayed pretty same leading to the 8.2 softwares. I'm not totally sure what software you are going to go for but you seem to have the latest 8.2 series software so next steps are already 8.3 / 8.4 / 9.0 / 9.1</P><P></P><P>ALL of the above mentioned softwares introduce a completely new NAT configuration format to the ASA. While the ASA automatically converts the configurations its not always 100% process not to mention that the NAT configuration probably is far from optimal.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 12 Feb 2013 07:21:02 GMT https://community.cisco.com/t5/network-security/startup-config-error-after-upgrading-to-asa-from-pix/m-p/2203538#M356783 Jouni Forss 2013-02-12T07:21:02Z https://community.cisco.com/t5/network-security/startup-config-error-after-upgrading-to-asa-from-pix/m-p/2203539#M356784 <HTML><HEAD></HEAD><BODY><P>Thanks for the confirmation.&nbsp; I got her to 8.45 for now and plan on deploying it this weekend.</P></BODY></HTML> Wed, 13 Feb 2013 05:23:43 GMT https://community.cisco.com/t5/network-security/startup-config-error-after-upgrading-to-asa-from-pix/m-p/2203539#M356784 mark.kimzey 2013-02-13T05:23:43Z