[c-nsp] Trouble in an ASA migration from CheckPoint
Rubens Kuhl
rubensk at gmail.com
Mon May 11 08:10:27 EDT 2009
A possible solution that it's not a straightforward Checkpoint
replacement would be using DNS views. To 200.1.1.1, DNS would answer
80.1.1.1; to 190.1.1.1, DNS would answer 80.1.1.2, and 80.1.1.2 would
be translated to 10.1.1.2.
You can even enforce this by using both NAT and access rules.
Rubens
On Sat, May 9, 2009 at 10:10 AM, Marcelo Zilio <ziliomarcelo at gmail.com> wrote:
> Hi,
>
> Thank you for the feedback.
>
> What I must do is for example:
>
> 200.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.1 (inside)
> 190.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.2 (inside)
>
> When packets come from 200.1.1.1 towards 80.1.1.1 ASA should redirect to
> inside IP 10.1.1.1.
> When packets come from 190.1.1.1 towards 80.1.1.1 ASA should redirect to
> inside IP 10.1.1.2.
>
> That is, packets are forwarded to inside network based on source Internet
> address. There are dozens of servers in this situation.
> Don't ask me why, this is the way checkpoint works today and I need to
> reproduce the same configuration at ASA. :)
>
> Port redirection is not an option today because there are overlapping ports
> in some servers.
>
> Thanks
> Marcelo
>
>
> 2009/5/8 Bruce Pinsky <bep at pinskyfamily.org>
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Marcelo Zilio wrote:
>> > Hi,
>> >
>> > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
>> freeze
>> > on a situation that seems ASA cannot "reproduce" CheckPoint
>> configuration.
>> > Follow the scenario:
>> >
>> > - IP Address X on the Internet access IP Address X1 in the Inside network
>> > through the X-NAT Address.
>> > - IP Address Y on the Internet access IP Address Y1 in the Inside network
>> > through the same X-NAT Address.
>> >
>>
>> Can you give us a more concrete example please? I'm not grok'ing what you
>> are trying to accomplish.
>>
>>
>> - --
>> =========
>> bep
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.9 (MingW32)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iEYEARECAAYFAkoDxysACgkQE1XcgMgrtyZOMgCg8Yj4idWNvx9iTz32Pdy9QELy
>> raAAn1pjQvIpoP31virlnmmlJc3JEz73
>> =cP6b
>> -----END PGP SIGNATURE-----
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list