Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
0
Helpful
4
Replies

ASA 5585 IOS upgradation from 8.2(5) to 9.0(2)

sayast001
Level 1
Level 1

‎11-09-2013 07:54 AM - edited ‎03-11-2019 08:02 PM

Hi,

I am getting below warning messages when i am doing IOS upgradation of ASA5585.The current version of IOS is 8.2(5) and the converted version is 9.0(2). I would like to know whether i can ignore the warnings and move on with new version or need to do any manual changes in configuration.

This is my internet firewall which has DMZ  as well.

WARNING: MIGRATION: ACE converted to real IP/port values based on

dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing policy NAT ACL

Thanks

Soumya

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎11-09-2013 08:16 AM

Hi,

Seems you have done quite a jump with your software.

I have personally done every single migration with manually creating the configurations for the customer firewall. I doubt I will do any such bigger software jump through automatic configuration conversion but the future updates from 8.3 all the way to 9.1 would seem a bit safer.

That being said, I have not really therefore seen the different WARNING messages of the conversion.

Your WARNING message seems to suggest that you had Static/Dynamic Policy NAT configured on the firewall before the upgrade. It also seems to suggest that you should check the ACLs. I presume that this means the ACLs that allow traffic on the interfaces regarding these rules since the new software DOES NOT use any ACLs in the NAT configurations.

So I am not sure if this is anything you should worry about. I guess your main thing to check would be that are your interface ACLs correct. And that is naturally easy in the sense that you always refer to the real/local/actual IP address of the host and NOT the NAT IP address that you still did in software 8.2(5) (or any software below it)

I guess if in doubt you could share the current and new Policy NAT configurations and possible ACLs related to them if you want to have them checked out. You can even use the "packet-tracer" command to naturally test that every NAT and interface ACL are performing the same way as before the upgrade.

I would imagine that your configuration might be large considering the hardware you are using?

Let me know if you need any help with confirming that the converted configurations are correct compared to your old ones.

- Jouni

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Jouni Forss

‎11-09-2013 11:31 AM

For successful upgrad from a pre 8.3 version to 9.0 or later you need to upgrade to 8.3 or 8.4 before going to 9.0.

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp731971

Here is an explanation of the error found in this link

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp88029 :

Error Message    ACE converted to real IP/port values based on dynamic/static Policy NAT. The new ACE(s) 
need to be checked for enforcing policy NAT ACL.





 


Explanation    When you migrate policy NAT, check that the new access list does not open any security holes. For example,  the following pre-migration configuration translates 10.50.50.50 to 172.23.57.170 only when the destination address is  on 10.0.0.0: 


 




access-list policyacl1 extended permit ip host 10.50.50.50 10.0.0.0 255.0.0.0 





 


 


 




static (inside,outside) 172.23.57.170 access-list policyacl1





 


 


 


 This access rule permits any traffic to the mapped address, but because  this mapping only occurs when the traffic is to or from 10.0.0.0, this  access list essentially only allows 10.0.0.0 to access the inside host: 




 




access-list 1 permit ip any host 172.23.57.170





 




access-group 1 in interface outside





 


 


 


 The migrated configuration permits any traffic to the inside host;  however, because the access list now uses the real IP address, any  traffic can access the inside host, and not just traffic from 10.0.0.0: 




 




access-list 1 extended permit ip any host 10.50.50.50 





 




access-group 1 in interface outside





 


 


 


Recommended Action    You should fix the access list to be: 


 




access-list 1 extended permit ip 10.0.0.0 255.0.0.0 host 10.50.50.50 





 




access-group 1 in interface outside

Basically it is telling you to check and make sure that the configuration is correct and that there are no security holes.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

sayast001
Level 1
Level 1
In response to Jouni Forss

‎11-09-2013 08:17 PM

Hi ,

Sorry, I forgot to mention that we have upgraded from  8.2->8.4.6>9.02.

We have multiple warning messages like below. A huge number of inbound access rules have been created in new version and we are worried whether this will creat a security loop.

WARNING: MIGRATION: ACE converted to real IP/port values based on

dynamic/static Policy NAT. The new ACE(s) need to be checked for enforcing policy NAT ACL

216.163.252.25

8.2(5)

access-list outside extended permit udp host 216.163.252.25 host 203.99.194.163

access-list outside extended permit esp host 216.163.252.25 host 203.99.194.163

access-list Metlife-VPN extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.237.164.0 255.255.254.0 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25

access-list Metlife-VPN extended permit esp 10.229.32.0 255.255.255.192 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.237.241.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.230.107.128 255.255.255.224 host 216.163.252.25

access-list inside1 extended permit udp 10.237.164.0 255.255.254.0 host 216.163.252.25

access-list inside1 extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25

access-list inside1 extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25

access-list inside1 extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25

access-list inside1 extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25

access-list inside1 extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25

access-list inside1 extended permit ip host 10.239.23.177 host 216.163.252.25

access-list outside extended permit ip any host 203.99.194.163

9.0(2)

object network obj-216.163.252.25

host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.237.164.0 255.255.254.0 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25

access-list Metlife-VPN extended permit esp 10.229.32.0 255.255.255.192 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.237.241.0 255.255.255.0 host 216.163.252.25

access-list Metlife-VPN extended permit ip 10.230.107.128 255.255.255.224 host 216.163.252.25

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.56

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.72

access-list outside extended permit udp host 216.163.252.25 10.239.24.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.15

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.94

access-list outside extended permit udp host 216.163.252.25 host 10.239.24.138

access-list outside extended permit udp host 216.163.252.25 10.239.23.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.101

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.208

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.20

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.78

access-list outside extended permit udp host 216.163.252.25 10.239.48.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.73

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.204

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.178

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.187

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.28

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.144

access-list outside extended permit udp host 216.163.252.25 host 10.239.48.105

access-list outside extended permit udp host 216.163.252.25 10.237.23.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 host 10.237.23.179

access-list outside extended permit udp host 216.163.252.25 10.237.164.0 255.255.254.0

access-list outside extended permit udp host 216.163.252.25 10.239.50.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 host 10.239.50.46

access-list outside extended permit udp host 216.163.252.25 host 10.237.165.120

access-list outside extended permit udp host 216.163.252.25 10.239.50.0 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 host 10.239.50.11

access-list outside extended permit udp host 216.163.252.25 host 10.239.48.142

access-list outside extended permit udp host 216.163.252.25 host 10.239.48.12

access-list outside extended permit udp host 216.163.252.25 host 10.239.50.45

access-list outside extended permit udp host 216.163.252.25 host 10.237.173.12

access-list outside extended permit udp host 216.163.252.25 host 10.237.164.72

access-list outside extended permit udp host 216.163.252.25 host 10.237.173.13

access-list outside extended permit udp host 216.163.252.25 host 10.239.20.145

access-list outside extended permit udp host 216.163.252.25 host 10.239.41.23

access-list outside extended permit udp host 216.163.252.25 host 10.242.8.128

access-list outside extended permit udp host 216.163.252.25 host 10.242.8.146

access-list outside extended permit udp host 216.163.252.25 host 10.242.8.137

access-list outside extended permit udp host 216.163.252.25 host 10.242.8.144

access-list outside extended permit udp host 216.163.252.25 10.230.144.64 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.229.32.0 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.242.50.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 host 10.242.8.153

access-list outside extended permit udp host 216.163.252.25 host 10.242.50.68

access-list outside extended permit udp host 216.163.252.25 host 10.232.8.176

access-list outside extended permit udp host 216.163.252.25 10.242.0.128 255.255.255.128

access-list outside extended permit udp host 216.163.252.25 host 10.230.107.198

access-list outside extended permit udp host 216.163.252.25 host 10.230.107.199

access-list outside extended permit udp host 216.163.252.25 host 10.230.107.201

access-list outside extended permit udp host 216.163.252.25 10.230.107.192 255.255.255.224

access-list outside extended permit udp host 216.163.252.25 host 10.230.107.202

access-list outside extended permit udp host 216.163.252.25 10.237.226.0 255.255.255.224

access-list outside extended permit udp host 216.163.252.25 10.242.146.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 host 10.230.107.197

access-list outside extended permit udp host 216.163.252.25 host 10.229.59.109

access-list outside extended permit udp host 216.163.252.25 10.242.97.128 255.255.255.128

access-list outside extended permit udp host 216.163.252.25 10.242.36.64 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.237.241.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 host 10.237.241.14

access-list outside extended permit udp host 216.163.252.25 host 10.237.241.68

access-list outside extended permit udp host 216.163.252.25 host 10.237.241.94

access-list outside extended permit udp host 216.163.252.25 host 10.237.173.15

access-list outside extended permit udp host 216.163.252.25 10.242.212.0 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.242.51.128 255.255.255.128

access-list outside extended permit udp host 216.163.252.25 10.242.210.192 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 host 10.242.146.18

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.168

access-list outside extended permit udp host 216.163.252.25 host 10.239.48.31

access-list outside extended permit udp host 216.163.252.25 host 10.242.195.204

access-list outside extended permit udp host 216.163.252.25 10.242.195.192 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.230.241.0 255.255.255.0

access-list outside extended permit udp host 216.163.252.25 10.230.103.128 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 host 10.230.107.144

access-list outside extended permit udp host 216.163.252.25 10.230.107.128 255.255.255.224

access-list outside extended permit udp host 216.163.252.25 10.211.202.224 255.255.255.240

access-list outside extended permit udp host 216.163.252.25 host 10.211.211.221

access-list outside extended permit udp host 216.163.252.25 host 10.229.34.43

access-list outside extended permit udp host 216.163.252.25 host 10.229.34.49

access-list outside extended permit udp host 216.163.252.25 host 10.232.38.160

access-list outside extended permit udp host 216.163.252.25 host 10.232.130.93

access-list outside extended permit udp host 216.163.252.25 host 10.233.38.151

access-list outside extended permit udp host 216.163.252.25 host 10.236.147.50

access-list outside extended permit udp host 216.163.252.25 host 10.236.147.71

access-list outside extended permit udp host 216.163.252.25 host 10.236.147.83

access-list outside extended permit udp host 216.163.252.25 host 10.236.180.4

access-list outside extended permit udp host 216.163.252.25 host 10.237.9.83

access-list outside extended permit udp host 216.163.252.25 host 10.237.9.93

access-list outside extended permit udp host 216.163.252.25 host 10.237.77.39

access-list outside extended permit udp host 216.163.252.25 host 10.237.77.74

access-list outside extended permit udp host 216.163.252.25 host 10.237.77.76

access-list outside extended permit udp host 216.163.252.25 host 10.237.173.8

access-list outside extended permit udp host 216.163.252.25 host 10.237.241.24

access-list outside extended permit udp host 216.163.252.25 host 10.237.241.183

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.13

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.71

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.108

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.109

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.120

access-list outside extended permit udp host 216.163.252.25 host 10.239.23.170

access-list outside extended permit udp host 216.163.252.25 host 10.239.24.26

access-list outside extended permit udp host 216.163.252.25 host 10.239.24.158

access-list outside extended permit udp host 216.163.252.25 host 10.239.24.222

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.20

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.34

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.41

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.42

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.52

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.60

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.64

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.73

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.81

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.82

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.90

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.114

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.141

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.151

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.155

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.205

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.224

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.233

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.238

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.239

access-list outside extended permit udp host 216.163.252.25 host 10.239.30.251

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.26

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.52

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.57

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.72

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.90

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.93

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.107

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.161

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.171

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.184

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.185

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.196

access-list outside extended permit udp host 216.163.252.25 host 10.239.31.208

access-list outside extended permit udp host 216.163.252.25 host 10.239.38.17

access-list outside extended permit udp host 216.163.252.25 host 10.239.41.34

access-list outside extended permit udp host 216.163.252.25 host 10.239.41.68

access-list outside extended permit udp host 216.163.252.25 host 10.239.41.72

access-list outside extended permit udp host 216.163.252.25 host 10.239.41.78

access-list outside extended permit udp host 216.163.252.25 host 10.239.48.143

access-list outside extended permit udp host 216.163.252.25 host 10.239.50.10

access-list outside extended permit udp host 216.163.252.25 host 10.239.50.15

access-list outside extended permit udp host 216.163.252.25 host 10.239.50.31

access-list outside extended permit udp host 216.163.252.25 host 10.239.50.35

access-list outside extended permit udp host 216.163.252.25 host 10.239.50.52

access-list outside extended permit udp host 216.163.252.25 host 10.239.60.100

access-list outside extended permit udp host 216.163.252.25 host 10.239.67.18

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.17

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.23

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.34

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.42

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.53

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.75

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.76

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.77

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.114

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.117

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.118

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.120

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.136

access-list outside extended permit udp host 216.163.252.25 host 10.239.96.143

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.15

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.17

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.35

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.48

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.90

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.116

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.140

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.168

access-list outside extended permit udp host 216.163.252.25 host 10.239.98.183

access-list outside extended permit udp host 216.163.252.25 host 10.242.8.26

access-list outside extended permit udp host 216.163.252.25 host 10.242.8.53

access-list outside extended permit udp host 216.163.252.25 host 10.242.11.29

access-list outside extended permit udp host 216.163.252.25 host 10.242.11.31

access-list outside extended permit udp host 216.163.252.25 host 10.242.11.80

access-list outside extended permit udp host 216.163.252.25 host 10.242.11.81

access-list outside extended permit udp host 216.163.252.25 host 10.242.22.133

access-list outside extended permit udp host 216.163.252.25 host 10.242.22.134

access-list outside extended permit udp host 216.163.252.25 host 10.242.22.154

access-list outside extended permit udp host 216.163.252.25 host 10.242.36.76

access-list outside extended permit udp host 216.163.252.25 host 10.242.36.79

access-list outside extended permit udp host 216.163.252.25 host 10.242.36.118

access-list outside extended permit udp host 216.163.252.25 host 10.242.146.29

access-list outside extended permit udp host 216.163.252.25 host 10.242.158.227

access-list outside extended permit udp host 216.163.252.25 host 10.242.195.197

access-list outside extended permit udp host 216.163.252.25 host 207.41.226.145

access-list outside extended permit udp host 216.163.252.25 10.233.38.144 255.255.255.248

access-list outside extended permit udp host 216.163.252.25 10.230.132.160 255.255.255.224

access-list outside extended permit udp host 216.163.252.25 10.230.134.0 255.255.255.224

access-list outside extended permit udp host 216.163.252.25 10.242.68.160 255.255.255.224

access-list outside extended permit udp host 216.163.252.25 10.233.38.150 255.255.255.222

access-list outside extended permit udp host 216.163.252.25 10.229.144.0 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.236.84.64 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.237.84.128 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.239.47.192 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.242.90.64 255.255.255.192

access-list outside extended permit udp host 216.163.252.25 10.230.137.128 255.255.255.128

access-list outside extended permit udp host 216.163.252.25 10.239.56.0 255.255.255.128

access-list outside extended permit udp host 216.163.252.25 10.237.22.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.56

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.72

access-list outside extended permit esp host 216.163.252.25 10.239.24.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.15

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.94

access-list outside extended permit esp host 216.163.252.25 host 10.239.24.138

access-list outside extended permit esp host 216.163.252.25 10.239.23.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.101

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.208

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.20

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.78

access-list outside extended permit esp host 216.163.252.25 10.239.48.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.73

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.204

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.178

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.187

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.28

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.144

access-list outside extended permit esp host 216.163.252.25 host 10.239.48.105

access-list outside extended permit esp host 216.163.252.25 10.237.23.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.237.23.179

access-list outside extended permit esp host 216.163.252.25 10.237.164.0 255.255.254.0

access-list outside extended permit esp host 216.163.252.25 10.239.50.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.239.50.46

access-list outside extended permit esp host 216.163.252.25 host 10.237.165.120

access-list outside extended permit esp host 216.163.252.25 10.239.50.0 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 host 10.239.50.11

access-list outside extended permit esp host 216.163.252.25 host 10.239.48.142

access-list outside extended permit esp host 216.163.252.25 host 10.239.48.12

access-list outside extended permit esp host 216.163.252.25 host 10.239.50.45

access-list outside extended permit esp host 216.163.252.25 host 10.237.173.12

access-list outside extended permit esp host 216.163.252.25 host 10.237.164.72

access-list outside extended permit esp host 216.163.252.25 host 10.237.173.13

access-list outside extended permit esp host 216.163.252.25 host 10.239.20.145

access-list outside extended permit esp host 216.163.252.25 host 10.239.41.23

access-list outside extended permit esp host 216.163.252.25 host 10.242.8.128

access-list outside extended permit esp host 216.163.252.25 host 10.242.8.146

access-list outside extended permit esp host 216.163.252.25 host 10.242.8.137

access-list outside extended permit esp host 216.163.252.25 host 10.242.8.144

access-list outside extended permit esp host 216.163.252.25 10.230.144.64 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.229.32.0 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.242.50.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.242.8.153

access-list outside extended permit esp host 216.163.252.25 host 10.242.50.68

access-list outside extended permit esp host 216.163.252.25 host 10.232.8.176

access-list outside extended permit esp host 216.163.252.25 10.242.0.128 255.255.255.128

access-list outside extended permit esp host 216.163.252.25 host 10.230.107.198

access-list outside extended permit esp host 216.163.252.25 host 10.230.107.199

access-list outside extended permit esp host 216.163.252.25 host 10.230.107.201

access-list outside extended permit esp host 216.163.252.25 10.230.107.192 255.255.255.224

access-list outside extended permit esp host 216.163.252.25 host 10.230.107.202

access-list outside extended permit esp host 216.163.252.25 10.237.226.0 255.255.255.224

access-list outside extended permit esp host 216.163.252.25 10.242.146.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.230.107.197

access-list outside extended permit esp host 216.163.252.25 host 10.229.59.109

access-list outside extended permit esp host 216.163.252.25 10.242.97.128 255.255.255.128

access-list outside extended permit esp host 216.163.252.25 10.242.36.64 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.237.241.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 host 10.237.241.14

access-list outside extended permit esp host 216.163.252.25 host 10.237.241.68

access-list outside extended permit esp host 216.163.252.25 host 10.237.241.94

access-list outside extended permit esp host 216.163.252.25 host 10.237.173.15

access-list outside extended permit esp host 216.163.252.25 10.242.212.0 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.242.51.128 255.255.255.128

access-list outside extended permit esp host 216.163.252.25 10.242.210.192 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 host 10.242.146.18

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.168

access-list outside extended permit esp host 216.163.252.25 host 10.239.48.31

access-list outside extended permit esp host 216.163.252.25 host 10.242.195.204

access-list outside extended permit esp host 216.163.252.25 10.242.195.192 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.230.241.0 255.255.255.0

access-list outside extended permit esp host 216.163.252.25 10.230.103.128 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 host 10.230.107.144

access-list outside extended permit esp host 216.163.252.25 10.230.107.128 255.255.255.224

access-list outside extended permit esp host 216.163.252.25 10.211.202.224 255.255.255.240

access-list outside extended permit esp host 216.163.252.25 host 10.211.211.221

access-list outside extended permit esp host 216.163.252.25 host 10.229.34.43

access-list outside extended permit esp host 216.163.252.25 host 10.229.34.49

access-list outside extended permit esp host 216.163.252.25 host 10.232.38.160

access-list outside extended permit esp host 216.163.252.25 host 10.232.130.93

access-list outside extended permit esp host 216.163.252.25 host 10.233.38.151

access-list outside extended permit esp host 216.163.252.25 host 10.236.147.50

access-list outside extended permit esp host 216.163.252.25 host 10.236.147.71

access-list outside extended permit esp host 216.163.252.25 host 10.236.147.83

access-list outside extended permit esp host 216.163.252.25 host 10.236.180.4

access-list outside extended permit esp host 216.163.252.25 host 10.237.9.83

access-list outside extended permit esp host 216.163.252.25 host 10.237.9.93

access-list outside extended permit esp host 216.163.252.25 host 10.237.77.39

access-list outside extended permit esp host 216.163.252.25 host 10.237.77.74

access-list outside extended permit esp host 216.163.252.25 host 10.237.77.76

access-list outside extended permit esp host 216.163.252.25 host 10.237.173.8

access-list outside extended permit esp host 216.163.252.25 host 10.237.241.24

access-list outside extended permit esp host 216.163.252.25 host 10.237.241.183

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.13

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.71

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.108

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.109

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.120

access-list outside extended permit esp host 216.163.252.25 host 10.239.23.170

access-list outside extended permit esp host 216.163.252.25 host 10.239.24.26

access-list outside extended permit esp host 216.163.252.25 host 10.239.24.158

access-list outside extended permit esp host 216.163.252.25 host 10.239.24.222

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.20

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.34

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.41

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.42

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.52

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.60

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.64

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.73

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.81

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.82

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.90

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.114

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.141

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.151

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.155

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.205

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.224

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.233

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.238

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.239

access-list outside extended permit esp host 216.163.252.25 host 10.239.30.251

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.26

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.52

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.57

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.72

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.90

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.93

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.107

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.161

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.171

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.184

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.185

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.196

access-list outside extended permit esp host 216.163.252.25 host 10.239.31.208

access-list outside extended permit esp host 216.163.252.25 host 10.239.38.17

access-list outside extended permit esp host 216.163.252.25 host 10.239.41.34

access-list outside extended permit esp host 216.163.252.25 host 10.239.41.68

access-list outside extended permit esp host 216.163.252.25 host 10.239.41.72

access-list outside extended permit esp host 216.163.252.25 host 10.239.41.78

access-list outside extended permit esp host 216.163.252.25 host 10.239.48.143

access-list outside extended permit esp host 216.163.252.25 host 10.239.50.10

access-list outside extended permit esp host 216.163.252.25 host 10.239.50.15

access-list outside extended permit esp host 216.163.252.25 host 10.239.50.31

access-list outside extended permit esp host 216.163.252.25 host 10.239.50.35

access-list outside extended permit esp host 216.163.252.25 host 10.239.50.52

access-list outside extended permit esp host 216.163.252.25 host 10.239.60.100

access-list outside extended permit esp host 216.163.252.25 host 10.239.67.18

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.17

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.23

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.34

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.42

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.53

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.75

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.76

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.77

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.114

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.117

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.118

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.120

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.136

access-list outside extended permit esp host 216.163.252.25 host 10.239.96.143

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.15

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.17

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.35

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.48

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.90

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.116

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.140

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.168

access-list outside extended permit esp host 216.163.252.25 host 10.239.98.183

access-list outside extended permit esp host 216.163.252.25 host 10.242.8.26

access-list outside extended permit esp host 216.163.252.25 host 10.242.8.53

access-list outside extended permit esp host 216.163.252.25 host 10.242.11.29

access-list outside extended permit esp host 216.163.252.25 host 10.242.11.31

access-list outside extended permit esp host 216.163.252.25 host 10.242.11.80

access-list outside extended permit esp host 216.163.252.25 host 10.242.11.81

access-list outside extended permit esp host 216.163.252.25 host 10.242.22.133

access-list outside extended permit esp host 216.163.252.25 host 10.242.22.134

access-list outside extended permit esp host 216.163.252.25 host 10.242.22.154

access-list outside extended permit esp host 216.163.252.25 host 10.242.36.76

access-list outside extended permit esp host 216.163.252.25 host 10.242.36.79

access-list outside extended permit esp host 216.163.252.25 host 10.242.36.118

access-list outside extended permit esp host 216.163.252.25 host 10.242.146.29

access-list outside extended permit esp host 216.163.252.25 host 10.242.158.227

access-list outside extended permit esp host 216.163.252.25 host 10.242.195.197

access-list outside extended permit esp host 216.163.252.25 host 207.41.226.145

access-list outside extended permit esp host 216.163.252.25 10.233.38.144 255.255.255.248

access-list outside extended permit esp host 216.163.252.25 10.230.132.160 255.255.255.224

access-list outside extended permit esp host 216.163.252.25 10.230.134.0 255.255.255.224

access-list outside extended permit esp host 216.163.252.25 10.242.68.160 255.255.255.224

access-list outside extended permit esp host 216.163.252.25 10.233.38.150 255.255.255.222

access-list outside extended permit esp host 216.163.252.25 10.229.144.0 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.236.84.64 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.237.84.128 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.239.47.192 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.242.90.64 255.255.255.192

access-list outside extended permit esp host 216.163.252.25 10.230.137.128 255.255.255.128

access-list outside extended permit esp host 216.163.252.25 10.239.56.0 255.255.255.128

access-list outside extended permit esp host 216.163.252.25 10.237.22.0 255.255.255.0

access-list inside1 extended permit udp 10.237.164.0 255.255.254.0 host 216.163.252.25

access-list inside1 extended permit ip 10.229.32.0 255.255.255.192 host 216.163.252.25

access-list inside1 extended permit ip 10.242.146.0 255.255.255.0 host 216.163.252.25

access-list inside1 extended permit esp 10.242.146.0 255.255.255.0 host 216.163.252.25

access-list inside1 extended permit ip 10.239.48.0 255.255.255.0 host 216.163.252.25

access-list inside1 extended permit esp 10.239.48.0 255.255.255.0 host 216.163.252.25

access-list inside1 extended permit ip host 10.239.23.177 host 216.163.252.25

nat (inside,outside) source dynamic obj-10.239.48.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25

nat (inside,outside) source dynamic obj-10.237.164.0-01 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25

nat (inside,outside) source dynamic obj-10.229.32.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25

nat (inside,outside) source dynamic obj-10.242.146.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25

nat (inside,outside) source dynamic obj-10.237.241.0 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25

nat (inside,outside) source dynamic obj-10.230.107.128 obj-203.99.194.163 destination static obj-216.163.252.25 obj-216.163.252.25

0 Helpful

Marius Gunnerud
VIP
VIP
In response to sayast001

‎11-10-2013 11:42 PM

As i mentioned in my earlier post the message you recieved is telling you to make sure your ACEs for policy NAT are correctly configured after the migration.

Here is a good link to give you an overview on how NAT is now configured:

https://supportforums.cisco.com/docs/DOC-9129

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card