Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Ydaew
New Contributor III

Migrate Cisco ASA to FortiGate

Hello, 

Since FortiConverter is not a free tool, any advise for migrating from Cisco ASA to FortiGate smoothly? 

 

 

1 Solution
emnoc
Esteemed Contributor III

You do not need a conversion tool in order to do NAT. Look at each NAT and apply it a central-NAT or  per-policy as required. The concept are equally the same between ciscoASA and FortiOS

 

 

 

#  DNAT rules cisco ASA

 

object network webserverdnat

 

 host 172.7.72.11

 

nat (inside,outside) static 1.0.0.111

 

 

# DNAT VIP  FGT port-forward tcp80

 

config firewall vip

 

edit webserverdnat

 

set comment "DANT TO rfc1918"

 

set extintf wan1

 

set extip 1.0.0.111

 

set mappedip 172.7.72.11

 

set portforward enable

 

set protocol tcp

 

set extport 80

 

set mapped port 80

 

end

 

 

# DNAT VIP  FGT 

 

config firewall vip

 

edit webserverdnat

 

set comment "DANT TO rfc1918"

 

set extintf wan1

 

set extip 1.0.0.111

 

set mappedip 172.7.72.11

 

end

 

 

 

 

# cisco DNAT port forward

 

object network WebServerCH3-LAMPSRV01

 

host 172.7.88.101

 

nat (inside,outside) static 1.0.0.1 service tcp 80 80

 

!

 

 

# cisco pat overload to a pool 

 

object network MYLAN

 

subnet 172.254.12.0. 255.255.255.0

 

object network SNATPOOL

 

subnet  192.0.2.1 255.255.255.255

 

nat (inside,outside) 1 source static MYLAN MYLAN destination static SNATPOOL SNATPOOL

 

 

#FortiOS CENTRAL-NAT

 

 

config firewall ippool

   edit publicpoolA

          set type overload

          set startip 192.0.2.1

          set endip   192.0.2.1

   end

 

config firewall central-snat-map

edit 1

  set orig-addr <pre-nat.src.addr>

  set dst-addr <pre-nat dst.addr>

  set nat-ippool ippool publicpoolA

end

 

 

That a few examples I can think of, just determine if you want central-net or nat within the policy.

 

Thank of central net the same as ciscoASA, Palo,Juniper,CHKP,Forcepoint NAT-tables.

 

YMMV but both are equally beneficial and easy  concepts to figure out.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
14 REPLIES 14
emnoc
Esteemed Contributor III

You do not need a conversion tool in order to do NAT. Look at each NAT and apply it a central-NAT or  per-policy as required. The concept are equally the same between ciscoASA and FortiOS

 

 

 

#  DNAT rules cisco ASA

 

object network webserverdnat

 

 host 172.7.72.11

 

nat (inside,outside) static 1.0.0.111

 

 

# DNAT VIP  FGT port-forward tcp80

 

config firewall vip

 

edit webserverdnat

 

set comment "DANT TO rfc1918"

 

set extintf wan1

 

set extip 1.0.0.111

 

set mappedip 172.7.72.11

 

set portforward enable

 

set protocol tcp

 

set extport 80

 

set mapped port 80

 

end

 

 

# DNAT VIP  FGT 

 

config firewall vip

 

edit webserverdnat

 

set comment "DANT TO rfc1918"

 

set extintf wan1

 

set extip 1.0.0.111

 

set mappedip 172.7.72.11

 

end

 

 

 

 

# cisco DNAT port forward

 

object network WebServerCH3-LAMPSRV01

 

host 172.7.88.101

 

nat (inside,outside) static 1.0.0.1 service tcp 80 80

 

!

 

 

# cisco pat overload to a pool 

 

object network MYLAN

 

subnet 172.254.12.0. 255.255.255.0

 

object network SNATPOOL

 

subnet  192.0.2.1 255.255.255.255

 

nat (inside,outside) 1 source static MYLAN MYLAN destination static SNATPOOL SNATPOOL

 

 

#FortiOS CENTRAL-NAT

 

 

config firewall ippool

   edit publicpoolA

          set type overload

          set startip 192.0.2.1

          set endip   192.0.2.1

   end

 

config firewall central-snat-map

edit 1

  set orig-addr <pre-nat.src.addr>

  set dst-addr <pre-nat dst.addr>

  set nat-ippool ippool publicpoolA

end

 

 

That a few examples I can think of, just determine if you want central-net or nat within the policy.

 

Thank of central net the same as ciscoASA, Palo,Juniper,CHKP,Forcepoint NAT-tables.

 

YMMV but both are equally beneficial and easy  concepts to figure out.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Ydaew
New Contributor III

Thanks for the explanation, actually i have the below cases that i'm still stuck with due to have no experience in Cisco ASA NAT statements;

- nat (inside,outside) source static MYADD MYADD

- nat (inside,outside) source static PRV-SRV1 Pub-SRV2 destination static B1 B1 unidirectional

Your advise please 

Central NAT Will be used

creed2981

i am having same problems migrating ASA NAT to FG NAT.  I used the forticonverter but i dont know how reliable it is.  If anyone has a guide it would be helpful.  It is confusing when nat involves VPN network as a destination.  Cisco has nat with (inside,outside) but would that be same on FG?  It kind of is the outside interface but on FG you make a sub interface within outside/wan for the VPN.  i already made vpn tunnel and static routes

boneyard
Valued Contributor

what kind of guide are you looking for? there is no exact explanation on how forticonverter takes specific ASA config and translates it. that you will need to find out by trying.

 

the problem as i see it is that ASA has a number of ways to do NAT and specially when you combine these things get complicated. but that is an ASA thing, not a FortiGate thing. so if you need a clear explanation how your ASA config works you better off on a Cisco / ASA forum.

 

on the FortiGate side it is quite simple.

[ul]
  • for source NAT you use an IP Pool (type overload) or you NAT behind the interface, both are done on the firewall policy level. you do need to create the IP Pool first.
  • for destination NAT you use a virtual IP, which translates from destination IP X to destination IP Y. this is also done by first creating a VIP and then using it in a firewall policy.[/ul]

     

    if you need to source and destination NAT you use an IP Pool and VIP in one policy.

     

    with these two elements i have able to do all the NATing i need.

     

    yes there is  central NAT table option but im ignoring that, seen it used in a fraction of the cases.

  • emnoc
    Esteemed Contributor III

    FWIW

     

    Most migrations jobs do a sloppy job on NAT if any are translated. I personally have not use the forticonverter in since 2014 , so I do not know if any improvements have been made. You might to  just tackle these by hand and apply them as required.

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Top Kudoed Authors