Hello,
Since FortiConverter is not a free tool, any advise for migrating from Cisco ASA to FortiGate smoothly?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You do not need a conversion tool in order to do NAT. Look at each NAT and apply it a central-NAT or per-policy as required. The concept are equally the same between ciscoASA and FortiOS
# DNAT rules cisco ASA object network webserverdnat host 172.7.72.11 nat (inside,outside) static 1.0.0.111 # DNAT VIP FGT port-forward tcp80 config firewall vip edit webserverdnat set comment "DANT TO rfc1918" set extintf wan1 set extip 1.0.0.111 set mappedip 172.7.72.11 set portforward enable set protocol tcp set extport 80 set mapped port 80 end # DNAT VIP FGT config firewall vip edit webserverdnat set comment "DANT TO rfc1918" set extintf wan1 set extip 1.0.0.111 set mappedip 172.7.72.11 end # cisco DNAT port forward object network WebServerCH3-LAMPSRV01 host 172.7.88.101 nat (inside,outside) static 1.0.0.1 service tcp 80 80 ! # cisco pat overload to a pool object network MYLAN subnet 172.254.12.0. 255.255.255.0 object network SNATPOOL subnet 192.0.2.1 255.255.255.255 nat (inside,outside) 1 source static MYLAN MYLAN destination static SNATPOOL SNATPOOL #FortiOS CENTRAL-NAT config firewall ippool edit publicpoolA set type overload set startip 192.0.2.1 set endip 192.0.2.1 end config firewall central-snat-mapedit 1 set orig-addr <pre-nat.src.addr> set dst-addr <pre-nat dst.addr> set nat-ippool ippool publicpoolAend That a few examples I can think of, just determine if you want central-net or nat within the policy. Thank of central net the same as ciscoASA, Palo,Juniper,CHKP,Forcepoint NAT-tables. YMMV but both are equally beneficial and easy concepts to figure out. Ken Felix
PCNSE
NSE
StrongSwan
You do not need a conversion tool in order to do NAT. Look at each NAT and apply it a central-NAT or per-policy as required. The concept are equally the same between ciscoASA and FortiOS
# DNAT rules cisco ASA object network webserverdnat host 172.7.72.11 nat (inside,outside) static 1.0.0.111 # DNAT VIP FGT port-forward tcp80 config firewall vip edit webserverdnat set comment "DANT TO rfc1918" set extintf wan1 set extip 1.0.0.111 set mappedip 172.7.72.11 set portforward enable set protocol tcp set extport 80 set mapped port 80 end # DNAT VIP FGT config firewall vip edit webserverdnat set comment "DANT TO rfc1918" set extintf wan1 set extip 1.0.0.111 set mappedip 172.7.72.11 end # cisco DNAT port forward object network WebServerCH3-LAMPSRV01 host 172.7.88.101 nat (inside,outside) static 1.0.0.1 service tcp 80 80 ! # cisco pat overload to a pool object network MYLAN subnet 172.254.12.0. 255.255.255.0 object network SNATPOOL subnet 192.0.2.1 255.255.255.255 nat (inside,outside) 1 source static MYLAN MYLAN destination static SNATPOOL SNATPOOL #FortiOS CENTRAL-NAT config firewall ippool edit publicpoolA set type overload set startip 192.0.2.1 set endip 192.0.2.1 end config firewall central-snat-mapedit 1 set orig-addr <pre-nat.src.addr> set dst-addr <pre-nat dst.addr> set nat-ippool ippool publicpoolAend That a few examples I can think of, just determine if you want central-net or nat within the policy. Thank of central net the same as ciscoASA, Palo,Juniper,CHKP,Forcepoint NAT-tables. YMMV but both are equally beneficial and easy concepts to figure out. Ken Felix
PCNSE
NSE
StrongSwan
Thanks for the explanation, actually i have the below cases that i'm still stuck with due to have no experience in Cisco ASA NAT statements;
- nat (inside,outside) source static MYADD MYADD
- nat (inside,outside) source static PRV-SRV1 Pub-SRV2 destination static B1 B1 unidirectional
Your advise please
Central NAT Will be used
i am having same problems migrating ASA NAT to FG NAT. I used the forticonverter but i dont know how reliable it is. If anyone has a guide it would be helpful. It is confusing when nat involves VPN network as a destination. Cisco has nat with (inside,outside) but would that be same on FG? It kind of is the outside interface but on FG you make a sub interface within outside/wan for the VPN. i already made vpn tunnel and static routes
what kind of guide are you looking for? there is no exact explanation on how forticonverter takes specific ASA config and translates it. that you will need to find out by trying.
the problem as i see it is that ASA has a number of ways to do NAT and specially when you combine these things get complicated. but that is an ASA thing, not a FortiGate thing. so if you need a clear explanation how your ASA config works you better off on a Cisco / ASA forum.
on the FortiGate side it is quite simple.
[ul]
if you need to source and destination NAT you use an IP Pool and VIP in one policy.
with these two elements i have able to do all the NATing i need.
yes there is central NAT table option but im ignoring that, seen it used in a fraction of the cases.
FWIW
Most migrations jobs do a sloppy job on NAT if any are translated. I personally have not use the forticonverter in since 2014 , so I do not know if any improvements have been made. You might to just tackle these by hand and apply them as required.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.