This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Juan_Lobera
Contributor
‎2018-11-06 12:40 PM

ASA migration, NAT policy

Hello Fellow colleagues,

So, i'm currently migrating a big customer from ASA 8.2 (around 7k lines)  to R80.10. Everything was going smoothly with smart move (didnt include NAT on the smart move script) for the access policy.

But now i started manually migrating NAT rules, what carries a complex analysis and now i'm facing an issue. I was happily using Security zones on my NAT policy and migrated around 300 lines when i verified policy and discovered it's not possible to use them on NAT policy, so, i replaced the security zone object with the anti-spoofing group for most lines and that's ok.

Issue is that i cannot replace the external zone and i only want the NAT to occur when the packet is going to some destination on the external zone and not just to "any"

The ASA does this;

 global    (outside)    187    172.31.10.1

This means, only when the routing decision points sources referenced on NAT ID 187 to interface "outside" NAT it with 172.31.10.1

While on the checkpoint i cannot figure out how to achieve that without using the zone object (as it is an external interface without anti-spoofing group) and i can not use a negated object of internal networks/hosts neither on nat policy. 

Any ideas?

Thanks

5 Replies
Ville_Laitinen
Participant
‎2018-11-06 01:34 PM

As an interim solution you could place the nat rule as close to the end as possible and insert a "nat exclude" rule before it with 

src:GRP_Pat_112 dst:GRP_internal_nets translated to original/original

Not really an optimal solution but usually an acceptable one.

Juan_Lobera
Contributor
‎2018-11-07 05:45 AM
In response to Ville_Laitinen

It's a good idea, i have 600+ lines of NAT to translate and i'll have to add more with this solution. haha, hard times bro.

0 Kudos
Ville_Laitinen
Participant
‎2018-11-15 11:30 AM
In response to Juan_Lobera

A bit late reply, sorry. 

importing the nat rules into excel and gropuing them by source or destination interface may help finding ways to reduce the amount of rules you have to create on Check Point side (using an "exempt" rule above the nat rule again allows a little more freedom when merging the entries)

ymmv of course Smiley Happy

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2018-11-16 06:15 AM

If Security Zones are ever supported in the NAT policy it will make these NAT policy conversions from Cisco much easier.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Juan_Lobera
Contributor
‎2018-11-16 07:21 AM
In response to Timothy_Hall

Totally! Was what i was doing til i realized it wasnt supported. Looking forward to that 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events