[c-nsp] Trouble in an ASA migration from CheckPoint
Marcelo Zilio
ziliomarcelo at gmail.com
Mon May 11 09:11:47 EDT 2009
Hi Rubens,
Thanks for your response.
I'm sorry, but I didn't understand what you meant...
Remember IPs 200.1.1.1 and 190.1.1.1 are Internet address and I cannot
control their DNS resolution.
thanks and regards.
Marcelo
2009/5/11 Rubens Kuhl <rubensk at gmail.com>
> A possible solution that it's not a straightforward Checkpoint
> replacement would be using DNS views. To 200.1.1.1, DNS would answer
> 80.1.1.1; to 190.1.1.1, DNS would answer 80.1.1.2, and 80.1.1.2 would
> be translated to 10.1.1.2.
>
> You can even enforce this by using both NAT and access rules.
>
>
> Rubens
>
>
> On Sat, May 9, 2009 at 10:10 AM, Marcelo Zilio <ziliomarcelo at gmail.com>
> wrote:
> > Hi,
> >
> > Thank you for the feedback.
> >
> > What I must do is for example:
> >
> > 200.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.1 (inside)
> > 190.1.1.1 (internet) ----> ASA (NAT IP 80.1.1.1) ----> 10.1.1.2 (inside)
> >
> > When packets come from 200.1.1.1 towards 80.1.1.1 ASA should redirect to
> > inside IP 10.1.1.1.
> > When packets come from 190.1.1.1 towards 80.1.1.1 ASA should redirect to
> > inside IP 10.1.1.2.
> >
> > That is, packets are forwarded to inside network based on source Internet
> > address. There are dozens of servers in this situation.
> > Don't ask me why, this is the way checkpoint works today and I need to
> > reproduce the same configuration at ASA. :)
> >
> > Port redirection is not an option today because there are overlapping
> ports
> > in some servers.
> >
> > Thanks
> > Marcelo
> >
> >
> > 2009/5/8 Bruce Pinsky <bep at pinskyfamily.org>
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Marcelo Zilio wrote:
> >> > Hi,
> >> >
> >> > I'm working in a migration of a CheckPoint Firewall to an ASA5520. I
> >> freeze
> >> > on a situation that seems ASA cannot "reproduce" CheckPoint
> >> configuration.
> >> > Follow the scenario:
> >> >
> >> > - IP Address X on the Internet access IP Address X1 in the Inside
> network
> >> > through the X-NAT Address.
> >> > - IP Address Y on the Internet access IP Address Y1 in the Inside
> network
> >> > through the same X-NAT Address.
> >> >
> >>
> >> Can you give us a more concrete example please? I'm not grok'ing what
> you
> >> are trying to accomplish.
> >>
> >>
> >> - --
> >> =========
> >> bep
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.9 (MingW32)
> >> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >>
> >> iEYEARECAAYFAkoDxysACgkQE1XcgMgrtyZOMgCg8Yj4idWNvx9iTz32Pdy9QELy
> >> raAAn1pjQvIpoP31virlnmmlJc3JEz73
> >> =cP6b
> >> -----END PGP SIGNATURE-----
> >>
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
More information about the cisco-nsp
mailing list