05-06-2009 06:58 AM - edited 02-21-2020 03:26 AM
Hi,
I'm working in a migration of a CheckPoint Firewall to an ASA5520. I freeze on a situation that seems ASA cannot "reproduce" CheckPoint configuration. Follow the scenario:
- IP Address X on the Internet access IP Address X1 in the Inside network through the X-NAT Address.
- IP Address Y on the Internet access IP Address Y1 in the Inside network through the same X-NAT Address.
CheckPoint already does this, but I couldn't find a way to do the same with ASA.
I've tried with Policy NAT, but it seems it doesn't work well to static translations.
Have anyone done this before?
Any suggestions will be appreciated
Thanks
Marcelo
05-06-2009 07:15 AM
It all depends on weather you want to use the same X-NAT address, if so policy NAT is the best way. Another way would be to use port forwarding NAT using the same X-NAT address.
05-06-2009 09:03 AM
Hi Andrew,
Thank you for prompt response.
Yes, I need to use the same X-NAT address.
Port forwarding is not the case because I need several overlapping ports in different IP address.
I also believed policy NAT was the best way, then I found this link.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1116647
It seems ASA cannot do that.
I'm just wondering if it could be done in another way.
Any thoughts?
Thanks
05-06-2009 02:58 PM
Thoughts are - good link, but not conclusive to your requirement. Can you expand more on what you want to do (unsing dummy IP's to help) ??
05-07-2009 03:52 AM
Hi Andrew,
What I must do is for example:
200.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.1 (inside)
190.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.2 (inside)
When packets come from 200.1.1.1 ASA should redirect to inside IP 10.1.1.1.
When packets come from 190.1.1.1 ASA should redirect to inside IP 10.1.1.2.
That is, packets are forwarded to inside network based on source Internet address.
This is the way checkpoint works today and I need to reproduce the same configuration at ASA.
Hope is clear now...
Thank you
Marcelo
05-07-2009 06:20 AM
I must admit at first glance this is very interesting to solve - however I have a question, what are server 10.1.1.1 and 10.1.1.2 and what is the requirement for seperate source IP's to connect to seperate internal hosts?
05-07-2009 07:04 AM
Hi Andrew,
Thank you for your interest.
Well, this is a migration from a CheckPoint firewall to an ASA, as I said before. I confess that I don't understand why this was made this way in CheckPoint. The point here is that I am supposed to replicate checkpoint configuration to this new ASA. :)
My customer doesn't care how this will be done. His only wish is that after exchange checkpoint to ASA he could use the network the same way as before. :(
Regarding your question, servers 10.1.1.1 and 10.1.1.2 are just an example. In real configuration there is dozens of IPs in this situation.
The main use for this is for example Parnter Entreprise ABC must access server ip 10.1.1.1.
Parnter Entreprise DEF must access server ip 10.1.1.2
.
.
.
Parnter Entreprise XYZ must access server ip 10.1.1.99
Each sever has specific services running on it. For example 10.1.1.1 has FTP and HTTP. Server 10.1.1.10 has WTS, FTP, SMTP an so on.
Can I use a different static translation for each server? Technically yes, there is a lot of real IPs available. But the concern is contact every Partner Enterprise and ask them to change their configuration too. Too painfull and too prolonged.
Again, I don't know why this was made this way at first. I'm just trying to figure out a manner to do the same at ASA.
Thank you
Regards
Marcelo
05-07-2009 07:17 AM
I'll be honest - I am not 100% sure about this, but will do some digging and take it into the lab.
In the mean time perhaps another netpro has the answer, until then I will find out.
05-07-2009 08:49 AM
Hi Andrew.
Thanks for your time.
I also opened a TAC. Any update I'll let you know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide