I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption. According to the guide above, the migration of nat exemption will look like this:
-----
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
-----
object network obj-vLan201
subnet vLan201 255.255.255.0
object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
-----
My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?
-----
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
-----
object network obj-vLan201
subnet vLan201 255.255.255.0
object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0
object network obj-172.19.253.0
subnet 172.19.253.0 255.255.255.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0
-----
Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.
Thanks,
-Mathew