Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Juan_Lobera
Contributor

ASA migration, NAT policy

Hello Fellow colleagues,

So, i'm currently migrating a big customer from ASA 8.2 (around 7k lines)  to R80.10. Everything was going smoothly with smart move (didnt include NAT on the smart move script) for the access policy.

But now i started manually migrating NAT rules, what carries a complex analysis and now i'm facing an issue. I was happily using Security zones on my NAT policy and migrated around 300 lines when i verified policy and discovered it's not possible to use them on NAT policy, so, i replaced the security zone object with the anti-spoofing group for most lines and that's ok.

Issue is that i cannot replace the external zone and i only want the NAT to occur when the packet is going to some destination on the external zone and not just to "any"

The ASA does this;

 global    (outside)    187    172.31.10.1

This means, only when the routing decision points sources referenced on NAT ID 187 to interface "outside" NAT it with 172.31.10.1

While on the checkpoint i cannot figure out how to achieve that without using the zone object (as it is an external interface without anti-spoofing group) and i can not use a negated object of internal networks/hosts neither on nat policy. 

Any ideas?

Thanks

5 Replies
Ville_Laitinen
Participant

As an interim solution you could place the nat rule as close to the end as possible and insert a "nat exclude" rule before it with 

src:GRP_Pat_112 dst:GRP_internal_nets translated to original/original

Not really an optimal solution but usually an acceptable one.

Juan_Lobera
Contributor

It's a good idea, i have 600+ lines of NAT to translate and i'll have to add more with this solution. haha, hard times bro.

0 Kudos
Ville_Laitinen
Participant

A bit late reply, sorry. 

importing the nat rules into excel and gropuing them by source or destination interface may help finding ways to reduce the amount of rules you have to create on Check Point side (using an "exempt" rule above the nat rule again allows a little more freedom when merging the entries)

ymmv of course Smiley Happy

0 Kudos
Timothy_Hall
Legend Legend
Legend

If Security Zones are ever supported in the NAT policy it will make these NAT policy conversions from Cisco much easier.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Juan_Lobera
Contributor

Totally! Was what i was doing til i realized it wasnt supported. Looking forward to that 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events