cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Juan_Lobera
Nickel

ASA migration, NAT policy

Hello Fellow colleagues,

So, i'm currently migrating a big customer from ASA 8.2 (around 7k lines)  to R80.10. Everything was going smoothly with smart move (didnt include NAT on the smart move script) for the access policy.

But now i started manually migrating NAT rules, what carries a complex analysis and now i'm facing an issue. I was happily using Security zones on my NAT policy and migrated around 300 lines when i verified policy and discovered it's not possible to use them on NAT policy, so, i replaced the security zone object with the anti-spoofing group for most lines and that's ok.

Issue is that i cannot replace the external zone and i only want the NAT to occur when the packet is going to some destination on the external zone and not just to "any"

The ASA does this;

 global    (outside)    187    172.31.10.1

This means, only when the routing decision points sources referenced on NAT ID 187 to interface "outside" NAT it with 172.31.10.1

While on the checkpoint i cannot figure out how to achieve that without using the zone object (as it is an external interface without anti-spoofing group) and i can not use a negated object of internal networks/hosts neither on nat policy. 

Any ideas?

Thanks

5 Replies

Re: ASA migration, NAT policy

As an interim solution you could place the nat rule as close to the end as possible and insert a "nat exclude" rule before it with 

src:GRP_Pat_112 dst:GRP_internal_nets translated to original/original

Not really an optimal solution but usually an acceptable one.

Juan_Lobera
Nickel

Re: ASA migration, NAT policy

It's a good idea, i have 600+ lines of NAT to translate and i'll have to add more with this solution. haha, hard times bro.

0 Kudos

Re: ASA migration, NAT policy

A bit late reply, sorry. 

importing the nat rules into excel and gropuing them by source or destination interface may help finding ways to reduce the amount of rules you have to create on Check Point side (using an "exempt" rule above the nat rule again allows a little more freedom when merging the entries)

ymmv of course Smiley Happy

0 Kudos

Re: ASA migration, NAT policy

If Security Zones are ever supported in the NAT policy it will make these NAT policy conversions from Cisco much easier.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com
0 Kudos
Juan_Lobera
Nickel

Re: ASA migration, NAT policy

Totally! Was what i was doing til i realized it wasnt supported. Looking forward to that