1. Do I need to nat translate all of my internal networks back to the same addresses to get to internal DMZ's in oreder for communications to take place. It seemed that I had to do this to get it to work
2. I am converting from Checkpoint to ASA 5520 and am taking each rule in the Checkpoint and trying to add an equivalent access list command in the ASA. In Checkpoint, all rules are just added with no interface specified, but in the ASA it wants an interface to assign it to. So the question is this: When converting these Checkpoint rules to the ASA, what direction should the converted access list be (inbound or outbound), and, what interface would I apply it to? I've included a snapshot of a few of the Checkpoint rules for reference in this conversation. Rule #2 source inex2-owa is in the DMZ and the dest. FDBSID is on the inside.
0) I don't necessarily believe in security by obscurity, but you should never share your firewall rules to the public at large...
1) You can use NAT exemption to handle this. It is not necessarily required if you use no nat-control, which is the default unless you upgraded your ASA from an earlier configuration where no nat-control was not available. I'd recommend NAT exemption.
2) There is a tool available to convert a Checkpoint config to an ASA config. I'd recommend using that and then tweaking the configuration by hand - never use the converted configuration without tweaking. As far as ACL direction, the usual approach is to apply inbound ACL's on all interfaces. Outbound ACL's are generally used to further tweak the policy if required.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...