[c-nsp] Trouble in an ASA migration from CheckPoint

Ryan Hughes rshughes at gmail.com
Sat May 9 23:26:55 EDT 2009 

Then you should use an access-list for interesting traffic to match on those
specific conditions. This is static policy nat. See the ASA 8.0 config
guide:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042553

static (inside,outside) 80.1.1.1 access-list CONDITION1
static (inside,outside) 80.1.1.1 access-list CONDITION2

access-list CONDITION1 permit ip host 10.1.1.1 host 200.1.1.1
access-list CONDITION2 permit ip host 10.1.1.2 host 190.1.1.1

On Sat, May 9, 2009 at 9:15 AM, Marcelo Zilio <ziliomarcelo at gmail.com>wrote:

> Hi Mike,
>
> Thank you for your response.
> This in not exactelly what I need as you can see in my previous reply.
>
> Even though I think somehow this can be accomplished according to this doc:
>
> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml
>
> Thanks and regards
> Marcelo
>
> 2009/5/8 Michael K. Smith - Adhost <mksmith at adhost.com>
>
> > Hello Marcelo:
> >
> > > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
> > > freeze
> > > on a situation that seems ASA cannot "reproduce" CheckPoint
> > > configuration.
> > > Follow the scenario:
> > >
> > > - IP Address X on the Internet access IP Address X1 in the Inside
> > > network
> > > through the X-NAT Address.
> > > - IP Address Y on the Internet access IP Address Y1 in the Inside
> > > network
> > > through the same X-NAT Address.
> > >
> > > CheckPoint already does this, but I couldn't find a way to do the same
> > > with
> > > ASA.
> > > I've tried with Policy NAT, but it seems it doesn't work well to
> > static
> > > translations.
> > >
> >
> > If you mean the following it can't be done on the ASA.
> >
> > static (inside,outside) 1.2.3.4 192.168.1.1
> > static (inside,outside) 5.6.7.8 192.168.1.1
> >
> > There is a 1:1 relationship with static NAT's.  You could do PAT if that
> > suits.
> >
> > static (inside,outside) tcp 1.2.3.4 http 192.168.1.1 http
> > static (inside,outside) tcp 5.6.7.8 smtp 192.168.1.1 smtp
> >
> > Regards,
> >
> > Mike
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list