I'm working in a migration of a CheckPoint Firewall to an ASA5520. I freeze on a situation that seems ASA cannot "reproduce" CheckPoint configuration. Follow the scenario:
- IP Address X on the Internet access IP Address X1 in the Inside network through the X-NAT Address.
- IP Address Y on the Internet access IP Address Y1 in the Inside network through the same X-NAT Address.
CheckPoint already does this, but I couldn't find a way to do the same with ASA.
I've tried with Policy NAT, but it seems it doesn't work well to static translations.
Have anyone done this before?
Any suggestions will be appreciated
It all depends on weather you want to use the same X-NAT address, if so policy NAT is the best way. Another way would be to use port forwarding NAT using the same X-NAT address.
Thank you for prompt response.
Yes, I need to use the same X-NAT address.
Port forwarding is not the case because I need several overlapping ports in different IP address.
I also believed policy NAT was the best way, then I found this link.
It seems ASA cannot do that.
I'm just wondering if it could be done in another way.
Thoughts are - good link, but not conclusive to your requirement. Can you expand more on what you want to do (unsing dummy IP's to help) ??
What I must do is for example:
22.214.171.124 (internet) ----> ASA (NAT IP 126.96.36.199) ----> 10.1.1.1 (inside)
188.8.131.52 (internet) ----> ASA (NAT IP 184.108.40.206) ----> 10.1.1.2 (inside)
When packets come from 220.127.116.11 ASA should redirect to inside IP 10.1.1.1.
When packets come from 18.104.22.168 ASA should redirect to inside IP 10.1.1.2.
That is, packets are forwarded to inside network based on source Internet address.
This is the way checkpoint works today and I need to reproduce the same configuration at ASA.
Hope is clear now...
I must admit at first glance this is very interesting to solve - however I have a question, what are server 10.1.1.1 and 10.1.1.2 and what is the requirement for seperate source IP's to connect to seperate internal hosts?
Thank you for your interest.
Well, this is a migration from a CheckPoint firewall to an ASA, as I said before. I confess that I don't understand why this was made this way in CheckPoint. The point here is that I am supposed to replicate checkpoint configuration to this new ASA. :)
My customer doesn't care how this will be done. His only wish is that after exchange checkpoint to ASA he could use the network the same way as before. :(
Regarding your question, servers 10.1.1.1 and 10.1.1.2 are just an example. In real configuration there is dozens of IPs in this situation.
The main use for this is for example Parnter Entreprise ABC must access server ip 10.1.1.1.
Parnter Entreprise DEF must access server ip 10.1.1.2
Parnter Entreprise XYZ must access server ip 10.1.1.99
Each sever has specific services running on it. For example 10.1.1.1 has FTP and HTTP. Server 10.1.1.10 has WTS, FTP, SMTP an so on.
Can I use a different static translation for each server? Technically yes, there is a lot of real IPs available. But the concern is contact every Partner Enterprise and ask them to change their configuration too. Too painfull and too prolonged.
Again, I don't know why this was made this way at first. I'm just trying to figure out a manner to do the same at ASA.
I'll be honest - I am not 100% sure about this, but will do some digging and take it into the lab.
In the mean time perhaps another netpro has the answer, until then I will find out.