mm..very good question. As far as I know (but you might want to open a TAC case to have this double checked) there is no automat

ic way for CSM to convert the NAT policies plus I believe that rediscover will throw some error.

The only way I believe you have is to completely delete the device and rediscover as 8.3 so that all the policy can be discovered as new.

The draw back of this method is that you will lose all the shared policy (not only the nat shared policy).

To workaround tha you can try the following:

1- before deleting, create a clone device (right click -> clone)

2- delete the device

3- discover a new device (this will discover the new ASA at code 8.3 and import all your policy)

4- right click on the clone device and select copy policy

4.1 select the new imported device

4.2 select all the shared policy that were on the previous device and that you want to mantain.

Hope this will workaround your issue.

Stefano

Having looked at this. I tried the following.

I deleted a test device from CSM and then upgraded the device to 8.3.

I then added the device as a new machine and imported all the policies - csm recognised it as an 8.3 device and let me proceed.

The rule import worked as expected and it imported one of the new NAT rules that had been upgraded.

This is where the problems start - I now have in CSM two object nat rules. These rules cannot be edited, deleted, changed in any way. Fine if they never need to be changed but you can't guarantee this. Screenshot attached to posting.

The only way I can see to proceed would be to build the entire firewall from scratch again and swap out a unit with the existing firewall. Otherwise we will be storing up problems for future maintenance.

Any thoughts.....

Hi,

did you manage to solve the problem or did you try the workaround I suggested?

If it does not work, please open a TAC case so we can have a look

Stefano

Well I have got it working but it took a little bit of work.

I found a spare ASA firewall and rigged it up as a test lab.

I then shut down the AAA authentication and copied the startup-config from the firewall.

The 8.2 software and the copied config was put onto the test firewall

A management address was then configured into the asa and upgraded to v8.3

I then brought the 8.3 firewall into CSM

The NAT rules were then recoded offline (in the case of the large firewalls this took an afternoon)

Once this was done the production firewalls were upgraded - all the nat rules were deleted and then the firewall was brought back into csm. The NAT rules were then copied from the test firewall and then applied to the production unit.

This needs to be repeated for each firewall we have..... it is about an hours downtime on each one depending on the complextity of the rule set. (A pair we did last night didn't have any nat rules so were very easy to do).

Oh well only another 7 to go.....

eh eh, good luck

Stefano