AnsweredAssumed Answered

ASA migration, NAT policy

Question asked by Juan Lobera on Nov 6, 2018
Latest reply on Nov 16, 2018 by Juan Lobera

Hello Fellow colleagues,


So, i'm currently migrating a big customer from ASA 8.2 (around 7k lines)  to R80.10. Everything was going smoothly with smart move (didnt include NAT on the smart move script) for the access policy.


But now i started manually migrating NAT rules, what carries a complex analysis and now i'm facing an issue. I was happily using Security zones on my NAT policy and migrated around 300 lines when i verified policy and discovered it's not possible to use them on NAT policy, so, i replaced the security zone object with the anti-spoofing group for most lines and that's ok.


Issue is that i cannot replace the external zone and i only want the NAT to occur when the packet is going to some destination on the external zone and not just to "any"


The ASA does this;

 global    (outside)    187


This means, only when the routing decision points sources referenced on NAT ID 187 to interface "outside" NAT it with


While on the checkpoint i cannot figure out how to achieve that without using the zone object (as it is an external interface without anti-spoofing group) and i can not use a negated object of internal networks/hosts neither on nat policy. 


Any ideas?