Checkpoint to ASA Conversion (negate ability in Checkpoint)

campbech1 · ‎10-12-2007

I am in the middle of a Checkpoint to ASA conversion and so far it's gone pretty well.

My current problem though is that Checkpoint allowed for me to create an ACL that I could specify a group I created called RFC_1918_Group would not be allowed coming in my outside int but everything else would be allowed.

Any way to do this in the ASA without creating a permit statement along with a deny statement?

Attached is what the rule looks like in Checkpoint.

Thanks in advanced! This could cut down my rule base by a few lines.

whisperwind · ‎10-12-2007

There is no predefinied RFC1918 grouping in the ASA

kevin.jones1 · ‎10-13-2007

There is NO RFC1918 in checkpoint either.

The user has to create that.

What he is asking will require two separate

line of groups to do the trick. The first

line in the ACL should block RFC1918 addresses

while the second ACL line permit from Any.

Pix ACL is dumb, it is not smart as checkpoint

policy.

campbech1 · ‎10-15-2007

Thank you Kevin. That is what I thought but was hoping the ASA was smarter then that.

Two ACLs it is then.

Thanks again.