Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ydaew
New Contributor III

Migrate Cisco ASA to FortiGate

Hello, 

Since FortiConverter is not a free tool, any advise for migrating from Cisco ASA to FortiGate smoothly? 

 

 

1 Solution
emnoc
Esteemed Contributor III

You do not need a conversion tool in order to do NAT. Look at each NAT and apply it a central-NAT or  per-policy as required. The concept are equally the same between ciscoASA and FortiOS

 

 

 

#  DNAT rules cisco ASA

 

object network webserverdnat

 

 host 172.7.72.11

 

nat (inside,outside) static 1.0.0.111

 

 

# DNAT VIP  FGT port-forward tcp80

 

config firewall vip

 

edit webserverdnat

 

set comment "DANT TO rfc1918"

 

set extintf wan1

 

set extip 1.0.0.111

 

set mappedip 172.7.72.11

 

set portforward enable

 

set protocol tcp

 

set extport 80

 

set mapped port 80

 

end

 

 

# DNAT VIP  FGT 

 

config firewall vip

 

edit webserverdnat

 

set comment "DANT TO rfc1918"

 

set extintf wan1

 

set extip 1.0.0.111

 

set mappedip 172.7.72.11

 

end

 

 

 

 

# cisco DNAT port forward

 

object network WebServerCH3-LAMPSRV01

 

host 172.7.88.101

 

nat (inside,outside) static 1.0.0.1 service tcp 80 80

 

!

 

 

# cisco pat overload to a pool 

 

object network MYLAN

 

subnet 172.254.12.0. 255.255.255.0

 

object network SNATPOOL

 

subnet  192.0.2.1 255.255.255.255

 

nat (inside,outside) 1 source static MYLAN MYLAN destination static SNATPOOL SNATPOOL

 

 

#FortiOS CENTRAL-NAT

 

 

config firewall ippool

   edit publicpoolA

          set type overload

          set startip 192.0.2.1

          set endip   192.0.2.1

   end

 

config firewall central-snat-map

edit 1

  set orig-addr <pre-nat.src.addr>

  set dst-addr <pre-nat dst.addr>

  set nat-ippool ippool publicpoolA

end

 

 

That a few examples I can think of, just determine if you want central-net or nat within the policy.

 

Thank of central net the same as ciscoASA, Palo,Juniper,CHKP,Forcepoint NAT-tables.

 

YMMV but both are equally beneficial and easy  concepts to figure out.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
14 REPLIES 14
boneyard
Valued Contributor

depending on when you bought the FortiGate FortiConverter is a free service.

 

but if that isn't an option then you best understand what the ASA does very well. then it is not that hard to configure the FortiGate in a similar way if you understand FortiGate also. if there is an issue with understanding one of them look for assistance, that will probably also come with a price.

 

 

Ydaew
New Contributor III

boneyard wrote:

depending on when you bought the FortiGate FortiConverter is a free service.

 

 

You mean we can ask for this product for free? since equipments has been purchased recently

 

 

 

 

boneyard
Valued Contributor

not the product, but a forticonverter service is available.

 

https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiConverter.pdf

 

unfortunately i now see it is a purchased service also, probably cheaper then the forticonverter license, which is quite affordable and probably easier to purchase when you buy the equipment then later.

 

Ydaew
New Contributor III

Thank you, I'm only stuck on NAT policy migration, I think i will try to handle it since ASA NAT is a bit confusing

boneyard
Valued Contributor

yeah, that is a tricky one. ASA can NAT in too many different ways with sometimes very limited configuration.

 

with Fortinet you generally use VIPs and IP Pools for NAT. to create a good mapping you should understand what exactly is and isn't NATted on the ASA and then build the FortiGate configuration.

Elthon_Abreu

Ydaew

  You can download the forticonverter python based free tool from support site. (Download > Product=Foriconverter > Download: / FortiConverter/ v5.00/ 5.6/ 5.6.2/ FortiConverterSetup_5.6.2_Build0541.py.exe).   I used a few weeks ago and it was easy peasy...

 

Elthon Abreu FCNSA v5

Elthon Abreu FCNSA v5
Ydaew
New Contributor III

Elthon Abreu

 

Hi Elthon, 

I did test it before but i wasn't able to get the configuration due to a limitation related to the free version where you can just see the results and not to get the configuration file. 

Were you able to export the configuration? 

 

Thanks

Elthon_Abreu

Ydaew,

 

Did you try the Python version? 

Elthon Abreu FCNSA v5

Elthon Abreu FCNSA v5
boneyard

the new (python) version is not free, both the legacy and new version require a license (which is shared between both).

 

from the release notes:

For all 3rd party conversions, you can complete a conversion and view the results in the tuning page. All other functionality is disabled until you upload the full license. In most cases, this limited functionality is sufficient to allow you to evaluate the product.

Labels
Top Kudoed Authors