Hi pkillurcco,

Many thanks for your quick response and really appreciated.

Actually 5540 is currently on production and we can do anything before the migration window, but it was really a good option that I might think do over  lab environment.

Could you please specify more on the partner level tool that you suggested so that i might go and find more about that.?

Once again many thanks for your time and reply.

Know what?  I just googled the converter tool and saw that tunnels-up has a web widget to do just this:  http://www.tunnelsup.com/nat-converter

Might get you what you want faster if everything else has been converted already.

However, you could also take into consideration whether or not you're using object and object groups as well.

The cisco firewall upgrade tool is at https://fwmig.cisco.com but you have to gain access to it.

Hi pkillurcco,

Once again many thanks for your reply and the wonderful tools you suggested. I tried 1st with tunnels-up and seems it will be helpful to cerntain extend.

meanwhile I have requested the access for the cisco tool and it forward for Admin tool approval and hope I will get the access soon.

Thanks a lot for your valuable suggestion and its going to save my time a lot..:)

really appreciated.. I will keep you update the status with both options..

Hi pkillurcco,,

I tried with the cisco tool ( https://fwmig.cisco.com) but it allows to conver Juniper or Checkpoint firewall config to cisco firewall. Not the cisco firewall from one ver to other ver.

anyway thanks for your information

They recently changed the migration tool - the earlier version did include the ability to migrate Cisco configurations from 8.2.

I suppose they must have been having issues with that function.

Overall I agree with pkillurcco and others that rebuilding them manually both gives you a better understanding of what you have and allows you to optimize them for the new syntax. It does require some more up front investment of time but it's worth it in the longer term.

Hi pkillurcco and Marvin,

Thanks for you for your time on this and interest. 

I was trying with http://www.tunnelsup.com/nat-converter and it helped me to some extend. however it can not convert the dynamic policy nat where you have match with ACL with destination port. 

Then I did convert the following NAT by manually, however when I tried with packet tracer it gave me xlate error. 

Here is the original policy nat.

access-list inside_nat_outbound extended permit tcp object-group LAN-SUBNETS host 89.211.xx.yy object-group http-https

global (outside) 1 interface
nat (inside) 1 access-list inside_nat_outbound

Here is the new nat once converted manualy,

nat (inside,outside) source dynamic LAN-SUBNETS interface destination static 89.211.xx.yy 89.211.xx.yy service obj_http obj_http

below is the packet tracer output which giving the xlate error.

xxx-xx-FW01# packet-tracer input inside tcp 10.130.100.1 80 89.211.xx.yy 80 detailed 

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-no-xlate-to-pat-pool) Connection to PAT address without pre-existing xlate

I would appreciate if you can advise me what exactly cause the above error. As per old ver config, when packet going from given source to the destination IP and the ports, it should do the PAT on outside interface. If I simply nat the source/destination IP to the interface it would allow to access rest of the ports as well.I have such many ACLs used for policy NAT with many interfaces in the old config and its working fine.

It would be better if I can find a tool to convert them as its going to be hectic for converting them manually and prone to be more error. If not I just need how to configure dynamic policy nat according to ACLs with destination ports as I given above.

thanks in advance.