https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13785#M2316 <HTML><HEAD></HEAD><BODY><P>A bit late reply, sorry.&nbsp;</P><P>importing the nat rules into excel and gropuing them by source or destination interface may help finding ways to reduce the amount of rules you have to create on Check Point side (using an "exempt" rule above the nat rule again allows a little more freedom when merging the entries)</P><P>ymmv of course <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Thu, 15 Nov 2018 19:30:03 GMT Ville_Laitinen 2018-11-15T19:30:03Z https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13782#M2313 <HTML><HEAD></HEAD><BODY><P>Hello Fellow colleagues,</P><P></P><P>So, i'm currently migrating a big customer from ASA 8.2 (around 7k lines)&nbsp; to R80.10. Everything was going smoothly with smart move (didnt include NAT on the smart move script) for the access policy.</P><P></P><P>But now i started manually migrating NAT rules, what carries a complex analysis and now i'm facing an issue. I was happily using Security zones on my NAT policy and migrated around 300 lines when i verified policy and discovered it's not possible to use them on NAT policy, so, i replaced the security zone object with the anti-spoofing group for most lines and that's ok.</P><P></P><P>Issue is that i cannot replace the external zone and i only want the NAT to occur when the packet is going to some destination on the external zone and not just to "any"</P><P></P><P>The ASA does this;</P><P>&nbsp;global&nbsp;&nbsp; &nbsp;(outside)&nbsp;&nbsp; &nbsp;187&nbsp;&nbsp; &nbsp;172.31.10.1</P><P></P><P>This means, only when the routing decision points sources referenced on NAT ID 187 to interface "outside" NAT it with 172.31.10.1</P><P></P><P>While on the checkpoint i cannot figure out how to achieve that without using the zone object (as it is an external interface without anti-spoofing group) and i can not use a negated object of internal networks/hosts neither on nat policy.&nbsp;</P><P></P><P>Any ideas?</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/73246_pastedImage_1.png" /></P><P></P><P>Thanks</P></BODY></HTML> Tue, 06 Nov 2018 20:40:51 GMT https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13782#M2313 Juan_Lobera 2018-11-06T20:40:51Z https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13783#M2314 <HTML><HEAD></HEAD><BODY><P>As an interim solution you could place the nat rule as close to the end as possible and insert a "nat exclude" rule before it with&nbsp;</P><P>src:GRP_Pat_112 dst:GRP_internal_nets translated to original/original</P><P></P><P>Not really an optimal solution but usually an acceptable one.</P></BODY></HTML> Tue, 06 Nov 2018 21:34:49 GMT https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13783#M2314 Ville_Laitinen 2018-11-06T21:34:49Z https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13784#M2315 <HTML><HEAD></HEAD><BODY><P>It's a good idea, i have 600+ lines of NAT to translate and i'll have to add more with this solution. haha, hard times bro.</P></BODY></HTML> Wed, 07 Nov 2018 13:45:00 GMT https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13784#M2315 Juan_Lobera 2018-11-07T13:45:00Z https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13785#M2316 <HTML><HEAD></HEAD><BODY><P>A bit late reply, sorry.&nbsp;</P><P>importing the nat rules into excel and gropuing them by source or destination interface may help finding ways to reduce the amount of rules you have to create on Check Point side (using an "exempt" rule above the nat rule again allows a little more freedom when merging the entries)</P><P>ymmv of course <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Thu, 15 Nov 2018 19:30:03 GMT https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13785#M2316 Ville_Laitinen 2018-11-15T19:30:03Z https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13786#M2317 <HTML><HEAD></HEAD><BODY><P>If Security Zones are ever supported in the NAT policy it will make these NAT policy conversions from Cisco much easier.</P><P></P><P>--<BR />Second Edition of my "Max Power" Firewall Book<BR /><SPAN>Now Available at </SPAN><A class="jive-link-external-small" href="http://www.maxpowerfirewalls.com" rel="nofollow">http://www.maxpowerfirewalls.com</A></P></BODY></HTML> Fri, 16 Nov 2018 14:15:19 GMT https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13786#M2317 Timothy_Hall 2018-11-16T14:15:19Z https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13787#M2318 <HTML><HEAD></HEAD><BODY><P>Totally! Was what i was doing til i realized it wasnt supported. Looking forward to that&nbsp;</P></BODY></HTML> Fri, 16 Nov 2018 15:21:20 GMT https://community.checkpoint.com/t5/General-Topics/ASA-migration-NAT-policy/m-p/13787#M2318 Juan_Lobera 2018-11-16T15:21:20Z