Palo Alto Networks Knowledgebase: Cisco ASA to PA Migration Zone Assignment Issues

Cisco ASA to PA Migration Zone Assignment Issues

Created On 09/25/18 19:54 PM - Last Updated 02/08/19 00:03 AM


While using the PA Migration tool for Cisco's ASA configuration it was noted that when using auto-zone assign the Migration tool is unable to assign the zone when the access-list has a tcp/udp/ip any



  • Replace
    • tcp any -> tcp host <zone-name-any>
    • udp any -> udp host <zone-name-any>
    • ip any -> ip host <zone-name-any>secur
  • The zone-name in this case depends on the access list for eg:
    • Replace "access-list fromout extended permit tcp any host eq www"  with "access-list fromout extended permit tcp host outside-any host eq www"
    • Replace "access-list fromin extended permit tcp any host eq www" with "access-list fromin extended permit tcp host inside-any host eq www"
  • The zone name you choose depends on the interface to which the access-group is assigned.
    • In keeping with the above example, the access groups fromout and fromin are applied to the outside and inside interfaces: access-group fromout in interface outside access-group fromin in interface inside
    • So if access-group consultants & vips are assigned to the inside interface you can use the same zone name (inside-any) substitution in step 1 & 2
  • Create address name entries in the config file for each zonename-any object used in steps 1/2 eg. name outside-any name inside-any
  • Import the modified config file into the Migration Tool
  • Once the initial import is done (before doing the auto zone assign) in the section Interfaces and zones create entries for: Network      Netmask          Zone outside inside
  • Save the change
  • Do the Auto Zone Assignment
  • Eventually the outside-any, inside-any etc can be replaced by any in the PA config file


owner: panagent

  • Print
  • Copy Link

Choose Language