Thanks Vibhor.So, by default

Grant McBride · ‎11-11-2014

Hi All,

As the heading suggests, I have been tasked with replacement our Corporate Firewall, which is a Check Point, with an ASA 5512X. This is an extremely daunting task. I know there are conversion tools and I have tried them, so please don't suggest them...they are rubbish.

I have already done the Access-lists, interfaces and routes, and am now only left with the NAT configuration.

The problem is that the NAT on the Check Point is processed sequentially from top to bottom. It therefore does not use a NAT Order of Operations like an ASA does. The Check Point is also using every form of NAT possible (NAT Exemption, Hide NAT, static destination NAT, static source NAT etc.). This and the fact that there are about 200 NAT lines on the Check Point make it incredibly difficult to be sure I am doing things correctly. I am also using "New NAT (version 9)" so this just adds to the already impossible task.

What I wanted to know if there is any easy way of getting through this list. I was thinking if there was a way that I could make the Firewall NAT exemption by default without needing to configure anything, I could just focus on the Hide NAT's and static NAT's. This alone would make it much easier.

I know the old method of making the ASA act like a Firewall was by not enabling NAT-Control. However I believe there is no such thing as NAT Control on the new ASA versions. I guess I could also find a way of using "nat (inside,any)" to cover all NAT exemptions per subnet without needing to put in all the destinations. My concern is then that the PAT's will not be looked at as it will catch the NAT exemption for everything. I have read one could use the "after-auto" keyword to perhaps get around this?

As you can see, there are so many things to consider now and I can't see me replacing this firewall without a huge cock-up.

If you guys could please give me some advice on how the experts would do this please let me know!

Your assistance is GREATLY appreciated.

Thanks

Grant

Vibhor Amrodia · ‎11-12-2014

Hi,

To be clear on the query , you don't need any explicit NAT statements on the ASA device to work like a NAT exemption. By Default , traffic is permitted without NAT statements.

Now , I think you should focus on the Static NAT/Port Forwards first as it will be most important. Then you can check for the Hide NAT's.

It will be daunting but if you can share the changed configuration , we can see if there can be some improvements made to it further.

Thanks and Regards,

Vibhor Amrodia

Grant McBride · ‎11-12-2014

Thanks Vibhor.

So, by default traffic is permitted as if it's a router? Even from a low to high security zone, or just from high to low?

What about things that one would use a Hide NAT for, that is usually used for Internet traffic. If traffic from inside is trying to get to another network on the WAN that needs to be NAT exempted, it will try use the Hide NAT. I would therefore need explicit NAT statements for NAT exempt.

Regards

Grant

Vibhor Amrodia · ‎11-12-2014

Hi,

Traffic will be permitted from the NAT phase but still checked under ACL and security Levels.

For this requirement , you would need explicit NAT statements for exemption.

Thanks and Regards,

Vibhor Amrodia

Grant McBride · ‎11-12-2014

Thanks. So I don't have any real "quick" way about doing this? My plan is to migrate each interface across to the ASA one at a time. This way I can test connectivity and specifically the NAT's, and move on to the next interface.

Thanks for the assistance. I was hoping there was a quick and proven way of getting this done.

Regards

Grant

Configuring NAT on an ASA - Migration from a Check Point