[c-nsp] Trouble in an ASA migration from CheckPoint
Marcelo Zilio
ziliomarcelo at gmail.com
Mon May 11 07:35:37 EDT 2009
Hello Ryan
Thanks for the input.
I've tryied your suggestion and I got the following:
-------
ciscoasa(config)# access-list CONDITION1 permit ip host 10.1.1.1 host
200.1.1.1
ciscoasa(config)# access-list CONDITION2 permit ip host 10.1.1.2 host
190.1.1.1
ciscoasa(config)#
ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION1
ciscoasa(config)# static (inside,outside) 80.1.1.1 access-list CONDITION2
ERROR: mapped-address conflict with existing static
inside:10.1.1.1 to outside:80.1.1.1 netmask 255.255.255.255
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
ciscoasa(config)#
-------
In fact, in the config guide you've sent me, it says I cannot do that right
below. To be honest I have already saw this link.
I was expecting someone somewhere already went through this and could share
any thoughts in which way was took to resolve this issue.
Thank you and Regards
Marcelo
2009/5/10 Ryan Hughes <rshughes at gmail.com>
> Then you should use an access-list for interesting traffic to match on
> those specific conditions. This is static policy nat. See the ASA 8.0 config
> guide:
>
>
> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cfgnat.html#wp1042553
>
> static (inside,outside) 80.1.1.1 access-list CONDITION1
> static (inside,outside) 80.1.1.1 access-list CONDITION2
>
> access-list CONDITION1 permit ip host 10.1.1.1 host 200.1.1.1
> access-list CONDITION2 permit ip host 10.1.1.2 host 190.1.1.1
>
> On Sat, May 9, 2009 at 9:15 AM, Marcelo Zilio <ziliomarcelo at gmail.com>wrote:
>
>> Hi Mike,
>>
>> Thank you for your response.
>> This in not exactelly what I need as you can see in my previous reply.
>>
>> Even though I think somehow this can be accomplished according to this
>> doc:
>>
>> http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807d2874.shtml
>>
>> Thanks and regards
>> Marcelo
>>
>> 2009/5/8 Michael K. Smith - Adhost <mksmith at adhost.com>
>>
>> > Hello Marcelo:
>> >
>> > > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
>> > > freeze
>> > > on a situation that seems ASA cannot "reproduce" CheckPoint
>> > > configuration.
>> > > Follow the scenario:
>> > >
>> > > - IP Address X on the Internet access IP Address X1 in the Inside
>> > > network
>> > > through the X-NAT Address.
>> > > - IP Address Y on the Internet access IP Address Y1 in the Inside
>> > > network
>> > > through the same X-NAT Address.
>> > >
>> > > CheckPoint already does this, but I couldn't find a way to do the same
>> > > with
>> > > ASA.
>> > > I've tried with Policy NAT, but it seems it doesn't work well to
>> > static
>> > > translations.
>> > >
>> >
>> > If you mean the following it can't be done on the ASA.
>> >
>> > static (inside,outside) 1.2.3.4 192.168.1.1
>> > static (inside,outside) 5.6.7.8 192.168.1.1
>> >
>> > There is a 1:1 relationship with static NAT's. You could do PAT if that
>> > suits.
>> >
>> > static (inside,outside) tcp 1.2.3.4 http 192.168.1.1 http
>> > static (inside,outside) tcp 5.6.7.8 smtp 192.168.1.1 smtp
>> >
>> > Regards,
>> >
>> > Mike
>> >
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
More information about the cisco-nsp
mailing list