Hi,

I guess this mostly depends how complex each context is going to be.

The only thing I can think of at the moment would be the "packet-tracer" command on the CLI. Same can be found on the ASDM side also.

What this command does is that it shows you what rules/configurations/translations the ASA would apply to the packet if it were to enter the  ASA

Basic command format is

packet-tracer input

Where

• interface = The source interface where the connection would come from
• protocol = Usually TCP/UDP/ICMP
• source IP = Source IP address for the connection
• source port = Random source port for the connection
• destination IP = Destination IP address for the connection
• destination port = Destination port for the connection

I personally use the above command to test NAT rules quite often after I've done some changes. I might also use it in cases where I have a large ACL on an interface and want to quickly test if a certain connection would pass the ACL and to which ACL line it would "hit".

I used this command quite a lot in my biggest migration project from pre 8.2 environment to post 8.3 environment. This was mostly because I didnt use any tool to convert the NAT rules but just went through them one by one and when I was done I confirmed with "packet-tracer" that everything was working OK.

In the end I ended up with only 1 NAT that wasnt working but it was simply due to Copy/Paste problems. Had a wrong destination interface in a Static NAT command.

There are naturally alot of commands to go through the firewall when you have configured it but I would say that "packet-tracer" command gives the most information out of all of them.

Please do rate if you found the information helpfull and/or ask more questions.

- Jouni