Configuring NAT on an ASA - Migration from a Check Point
As the heading suggests, I have been tasked with replacement our Corporate Firewall, which is a Check Point, with an ASA 5512X. This is an extremely daunting task. I know there are conversion tools and I have tried them, so please don't suggest them...they are rubbish.
I have already done the Access-lists, interfaces and routes, and am now only left with the NAT configuration.
The problem is that the NAT on the Check Point is processed sequentially from top to bottom. It therefore does not use a NAT Order of Operations like an ASA does. The Check Point is also using every form of NAT possible (NAT Exemption, Hide NAT, static destination NAT, static source NAT etc.). This and the fact that there are about 200 NAT lines on the Check Point make it incredibly difficult to be sure I am doing things correctly. I am also using "New NAT (version 9)" so this just adds to the already impossible task.
What I wanted to know if there is any easy way of getting through this list. I was thinking if there was a way that I could make the Firewall NAT exemption by default without needing to configure anything, I could just focus on the Hide NAT's and static NAT's. This alone would make it much easier.
I know the old method of making the ASA act like a Firewall was by not enabling NAT-Control. However I believe there is no such thing as NAT Control on the new ASA versions. I guess I could also find a way of using "nat (inside,any)" to cover all NAT exemptions per subnet without needing to put in all the destinations. My concern is then that the PAT's will not be looked at as it will catch the NAT exemption for everything. I have read one could use the "after-auto" keyword to perhaps get around this?
As you can see, there are so many things to consider now and I can't see me replacing this firewall without a huge cock-up.
If you guys could please give me some advice on how the experts would do this please let me know!
So, by default traffic is permitted as if it's a router? Even from a low to high security zone, or just from high to low?
What about things that one would use a Hide NAT for, that is usually used for Internet traffic. If traffic from inside is trying to get to another network on the WAN that needs to be NAT exempted, it will try use the Hide NAT. I would therefore need explicit NAT statements for NAT exempt.
Thanks. So I don't have any real "quick" way about doing this? My plan is to migrate each interface across to the ASA one at a time. This way I can test connectivity and specifically the NAT's, and move on to the next interface.
Thanks for the assistance. I was hoping there was a quick and proven way of getting this done.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :