Re: Cisco to checkpoint configuration

Kul · ‎2019-08-09

Hi all, 
Below is the Cisco router Configuration ,I would like replace the Cisco router with my Checkpoint device.
Could you please help me with suggestions 

interface GigabitEthernet0/0
 description Link to Internet + TWAN
 ip address 172.17.129.246 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip wccp web-cache redirect in
 ip wccp web-cache group-listen
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 service-policy input url-block-policy
 service-policy output WEB-BLOCK
!
interface GigabitEthernet0/1
 description 
 ip address 172.27.156.1 255.255.252.0
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/1.2
 description LAN_NETWORK TO GEWOG CENTER
 encapsulation dot1Q 2
 ip address 172.26.159.1 255.255.252.0
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 no cdp enable
!

Danny · ‎2019-08-09

What exact Check Point device do you have?

Kul · ‎2019-08-09

I use 4000 series

Danny · ‎2019-08-09

Then login to the GAiA WebUI on configure the interfaces as extracted from your Cisco config.

Kul · ‎2019-08-09

I need to configure router on stick with default vlan. I used vlan is as 2 and it did not work. I could nothing gw.

Maarten_Sjouw · ‎2019-08-09

Even though it is not really supported you can setup and IP on eth1 and add a vlan on top of it and assign an IP to it.
Only thing is the Native VLAN on the switch trunk port will be the VLAN used by the main interface.
example:
eth1 is connected to a port that on the switch is set as mode access with VLAN 15 and on the FW ip address 172.17.129.246 255.255.255.252
eth2 is connected to a port set as trunk with native VLAN 1 and ip address 172.27.156.1 255.255.252.0
add eth2 vlan 2
eth2.2 set with ip address 172.26.159.1 255.255.252.0

Now routing will only work when you have a policy loaded.

Regards, Maarten

Kul · ‎2019-08-09

Thank you but 172.17.129.246/30 is connected to outside network for internet to ISP.

Maarten_Sjouw · ‎2019-08-10

And what is your actual question? Are you doing Hide NAT behind the external IP or do you have routes for the internal networks on the ISP router?

Regards, Maarten

HeikoAnkenbrand · ‎2019-08-11

That's what I do when I migrate a Cisco device to Check Point:-)

1) Creat a Cisco config file. For example cisco.txt.

Cisco> show running config

2) Upload this file to your new Check Point gateway. Now found all IP addresses in cisco config and create a IP list.

Check Point GW# more cisco.txt | grep "ip address" > iplist.txt

3) After that you can customize the file via vi. Now edit the iplist.txt and replace the cisco syntax with the check point GAIA syntax.

For example Cisco syntax:
ip address 172.17.129.246 255.255.255.252

to Check Point syntax.
Now set the interface (red) for example eth0.1 and add the interface settings (green) for all interfaces:

set interface eth0.1 ipv4-address 172.17.129.246 mask 255.255.255.252
set interface eth0.1 link-speed 1000M/full
set interface eth0.1 state on
set interface eth0.1 auto-negotiation on
set interface eth0.1 mtu 1500

4) Now load the new iplist.txt file in GAIA via CLISH and save the new config:
Check Point GW> load configuration iplist.txt
Check Point GW> save config

PS:
- You can also take over the routes by adjusting the syntax.
- The NAT settings are added as NAT rules in the SmartConsole.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Are you a member of CheckMates?

Cisco to checkpoint configuration