Checkpoint to ASA migration

We are currently running a Check Point firewall and would like to migrate to the ASA platform. Does anyone know of a conversion / migration utility that will convert Check Point firewall rules to ASA?
Thanks

Here is the new self-service tool that Cisco has released to convert to any vendor firewalls to Cisco ASA.
Currently it supports Juniper ScreenOS and CheckPoint to Cisco ASA conversion.
Link to the original post:
https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/12/19/conversion-tool--checkpoint-fw-to-cisco-asa
Link to the tool itself:
https://fwmig.cisco.com

Similar Messages

ARP table clash with checkpoint and ASA firewal issue

We are migrating DMZ segments from a checkpoint to a ASA 5585 firewall that we had connected to the same segments as the Checkpoint except on different IP addresses then the checkpoint interfaces. The Checkpoint interfaces are the default gateway for the servers. When I implemented the NATs entries below we experienced an arp table clash with the checkpoint and ASA firewall on the local segments that caused a application outage. What was determined was that the checkpoint firewall was showing that all the IP addresses in particular on vlan130 segment was associating the MAC address of the ASA interface instead of the real sever MAC address. I need assistance understanding the reason why the Checkpoint was pointing the ARP entries for many different address on VLAN130 to the ASA firewall MAC?
nat (any,internet-outside) source static any any destination static isxh2007_Xlate_167.9.6.21 isxh2007_10.121.201.86 unidirectional description To match chkpt NAT rule #5
nat (VLAN130,internet-outside) source static ISX_EDI_Hosts isxh2008_Xlat_167.9.6.22 unidirectional
nat (any,internet-outside) source static Private-Addresses ISX_OUTBOUND_NAT_167.9.6.1 destination static external_167.9.x external_167.9.x unidirectional
nat (any,any) source static Mars-Internal-All Mars-Internal-All destination static Private-Addresses Private-Addresses
nat (internet-dmz,internet-outside) source static acs-vmww2419.mars-ad.net acs-vmww2419_xlate_167.9.6.23
nat (internet-dmz,internet-outside) source static acs_vmww2420 acs_vmww2420_xlate_167.9.6.24
nat (internet-dmz,internet-outside) source static pass_reset_internal_10.121.201.50 pass_reset_external_167.9.6.25
nat (internet-dmz,internet-outside) source static HE-Portal-poland_10.121.120.10 ext_HE-Portal-poland_167.9.6.26
nat (any,internet-outside) source dynamic any ISX_OUTBOUND_NAT_167.9.6.1
isxasa04/wwy-legacy# sho interface
Interface TenGigabitEthernet0/8.129 "core-inside", is down, line protocol is down
MAC address 442b.0330.aba2, MTU 1500
IP address 10.121.129.X, subnet mask 255.255.255.0
Traffic Statistics for "core-inside":
241633 packets input, 12094352 bytes
44788 packets output, 3032584 bytes
109732 packets dropped
Interface TenGigabitEthernet0/9.130 "VLAN130", is down, line protocol is down
MAC address 442b.0330.aba3, MTU 1500
IP address 10.121.130.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN130":
1264203 packets input, 136452168 bytes
326080 packets output, 69216516 bytes
794035 packets dropped
Interface TenGigabitEthernet0/9.136 "VLAN136", is down, line protocol is down
MAC address 442b.0330.aba3, MTU 1500
IP address 10.121.136.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN136":
374547 packets input, 23696109 bytes
51186 packets output, 3324895 bytes
173500 packets dropped
Interface GigabitEthernet0/1 "internet-outside", is down, line protocol is down
MAC address 442b.0330.ab9b, MTU 1500
IP address 167.9.6.X, subnet mask 255.255.255.0
Traffic Statistics for "internet-outside":
352158 packets input, 17245425 bytes
76888 packets output, 3872904 bytes
12255 packets dropped
Interface GigabitEthernet0/2 "internet-dmz", is down, line protocol is down
MAC address 442b.0330.ab9c, MTU 1500
IP address 10.121.201.X, subnet mask 255.255.255.0
Traffic Statistics for "internet-dmz":
237795 packets input, 12460108 bytes
40787 packets output, 2775684 bytes
27378 packets dropped
Interface GigabitEthernet0/4 "VLAN140", is down, line protocol is down
MAC address 442b.0330.ab9e, MTU 1500
IP address 10.121.140.X, subnet mask 255.255.255.0
Traffic Statistics for "VLAN140":
386931 packets input, 18807725 bytes
48936 packets output, 3319712 bytes
114417 packets dropped
We crosschecked MAC addresses and this is what we found:
Checkpoint ARP table:
10.121.130.101 44:2b:3:30:ab:a3 3285
ASA ARP table:
isxasa04/wwy-legacy# sh arp | i 10.121.130.101
VLAN130 10.121.130.101 001a.4b06.dd45 10525
Server real address provided by processing:
0x001A4B06DD45
When we saw that the Checkpoints had a different/wrong entry we shut down all the physical ports on the new ASAs (except for failover and management);
Kevin cleared the ARP table on the Checkpoints and problem was solved;
Later I saw this:
isxasa04# sh int | i MAC
MAC address 442b.0330.ab9a, MTU not set
MAC address 442b.0330.ab9b, MTU not set
MAC address 442b.0330.ab9c, MTU not set
MAC address 442b.0330.ab9d, MTU 1500
MAC address 442b.0330.ab9e, MTU not set
MAC address 442b.0330.ab9f, MTU not set
MAC address 442b.0330.aba0, MTU not set
MAC address 442b.0330.aba1, MTU not set
MAC address 442b.0330.ab98, MTU not set
MAC address 442b.0330.ab99, MTU not set
MAC address 442b.0330.aba2, MTU not set
MAC address 442b.0330.aba3, MTU not set

The Asa is proxy Arping those macs. Turn off proxy arp and put in static arp entries until you completely shut down the checkpoint.
Sent from Cisco Technical Support iPad App

Cisco PIX to Cisco ASA Migration Tool

Hello,
I appreciate any help to download the The Cisco PIX to ASA migration tool referred at
http://www.cisco.com/en/US/partner/docs/security/asa/migration/release/notes/pix2asarn.html#wp39336
Thanks in Advance
Francisco Almeida

As a registered user, go to the download page for Pix Software here.
Navigate on the menu tree to "Version 1.0" and you should see the software available to download:

ASA Migration Problems

Hi,
I'm trying to migrate a configuration of an ASA 5520(Version: ASA 8.0(5)) to an ASA 5585 (Version: 8.4(2)). I keep getting some errors which are included below. I've been struggling with these for some copule of weeks and read the documentation on cisco.com (
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html) and also some pages on this forum. Some lines are written in bold of which I wasn't able to find any information about. Any help is appreciated. Thanks.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201203062349.log'
Reading from flash...
!!!!!!!!!!!!!!!!!!!WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1291, "access-group outside_acc..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1292, "access-group inside_acce..."
WARNING:
MIGRATION: NAT Exempt command is encountered in config.
Static NATs which overlap with NAT Exempt source are not migrated.
Please check migrated ACLs for accuracy.
*** Output from config line 1293, "access-group DMZ_access_..."
WARNING: MIGRATION: During migration of access-list <XXXXXXX> expanded
this object-group ACE
permit object-group DM_INLINE_SERVICE_5 XXX 255.255.255.0 DMZnet 255.255.255.0
WARNING: MIGRATION: Failed to create acl element to track during migration
*** Output from config line 1298, "access-group XXXXX..."
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 2
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 3
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 4
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 5
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 6
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 7
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 8
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 9
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 10
ERROR: MIGRATION: No memory to create migrated service-policy element
ERROR: Problem with interface 11
*** Output from config line 1797, "service-policy global-po..."
NAT migration logs:
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 access-list inside_nat_outbound
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
global (outside) 10 interface
nat (inside) 0 logserver 255.255.255.255
WARNING: The following identity NAT was not migrated. If required, an appropriate bypass NAT rule needs to be added.
nat (inside) 0 logserver 255.255.255.255
The following 'nat' command didn't have a matching 'global' rule on interface 'dmz' and was not migrated.
nat (inside) 1 icnetwork 255.255.0.0
ERROR: MIGRATION: No memory to create migrated service-policy element
The following 'nat' command didn't have a matching 'global' rule on interface 'TAV' and was not migrated.
nat (dmz) 1 access-list dmz_nat_outbound
INFO: NAT migration completed.
ERROR: an object-group with the same name (egitim) exist.
WARNING: Failed to create an object for name 'egitim' in the following ACL:
access-list DMZ_access_in extended permit tcp host 9.1.1.90 object-group egitim any

Ummm,
Did you possibly try the default username/password combination? (cisco/cisco) It should then prompt you to change these settings once you gain access. I'm not familiar with how the migration works, if it transitions the user accounts over or you end up starting from scratch. Give that a try and hopefully it gets you into your new system.

ASA Migration of DHCP Scope to a Server

Hello All,
We migrated the DHCP scope from the ASA to a MS DHCP server with this configuration:
group-policy BV-SSL1 internal
group-policy BV-SSL1 attributes
no address-pools value remotepool4 remotepool2 remotepool3
no intercept-dhcp enable
dhcp-network-scope 10.180.49.0
exit
tunnel-group BVVPN10 general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
tunnel-group BV-SSL general-attributes
no address-pool remotepool2
no address-pool remotepool3
no address-pool remotepool4
dhcp-server 10.182.14.55
exit
no vpn-addr-assign aaa
no vpn-addr-assign local
vpn-addr-assign dhcp
This is running good, until we used all 254 addresses that was specified in the dhcp-network-scope.
My question is should i have specified dhcp-network-scope none to allow for all 3 scopes can be used to hand out IP addresses for the remote users?
Thanks,
Kimberly

Okay, that's at least a good start. Can you monitor the ULS logs while you attempt to browse to the site to see what form of error(s) you're getting?
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Checkpoint and ASA

Inside I have 2 networks: 10.10.x.x and a 10.199.x.x
My ASA interfaces was the following:
E0/0 Public IP
E0/1 10.199.1.2/24
E0/2 10.10.144.47/22
I put a checkpoint in front of the ASA and changed to the following:
Checkpoint Ext. 10.10.144.47/22
Checkpoint Int. 192.168.1.1/30
ASA E0/1 10.199.1.2/24
ASA E0/2 192.168.1.2/30
Now I am having trouble talking between the networks 10.199.x.x and 10.10.144. x
I have attached ASA config.
Thanks in advance on any help provided

Hi,
So if I am looking correct then the "insideNOV" interface leads to the Checkpoint which has the other LAN network behind it?
The interface ACL for the interface is not really clear to me as it contains a lot of "name" and "object-group" references which are not mentioned. It seems though that on multiple occasions you have referenced the NOV network as the destination. Should this not be the source network as that network is located behind that interface?
Also with regards to the routing you have only shared your Default Route in the configuration.
Do you have a route for the NOV network towards "insideNOV" ?
route insideNOV 10.10.144.0 255.255.252.0 192.168.1.1
Does the Checkpoint have the appropriate routing and other configurations to allow the traffic?
- Jouni

Migrate PIX to ASA tools

Can provide me with the PIX to ASA migration tools? I can't seem to find them, are they still available?
Mike

Hi,
Never used this myself.
Heres some guide to getting the tool
http://www.cisco.com/en/US/docs/security/asa/migration/guide/pix2asa.html#wp290854
I'd assume though you will need a CCO account with service contract. I couldn't download the software as we have not gotten any of the contract under my name/account.
Looking at the whole "path" the the tool download it seems to be the following
Downloads Home ->
Products ->
Security ->
Firewalls ->
Adaptive Security Appliances (ASA) ->
Cisco PIX Firewall Software ->
PIX Firewall Software-1.0
You might need to "hop throught" a couple of drop down menus to get to the Software 1.0 under which you will find the download link. I can't test it at the moment.
- Jouni

Upgrade_startup_errors while upgrading IOS

Hi all,
I have upgraded the IOS on ASA 5505.
After doing upgrade i did sh flash
126 1189 Sep 28 2012 17:27:39 upgrade_startup_errors_201209282327.log
need to know what are these errors is my start up config changed ?
do i need to do something for startup config?
Thanks
Mahesh

I assume that you upgrade from 8.2 or lower version to 8.3 to higher version? That's why the error logs are getting generated as it is a major upgrade on the NAT and ACL feature.
Those are most probably just warning messages that you don't quite need to worry about.
You can view the logs from the ASA:
mor flash:/upgrade_startup_errors_201209282327.log
Here is the ASA migration documentation to version 8.3 or later for your reference:
http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

FWSM Error

Dear Experts
pls find the attached error
I am trying to convert the running config file of FWSM to ASA module (.TXT) by the migrated document as mentioned below, I am using the migration tool for windows, but i couldn't migrate becz of the attached error from tool, My FWSM is used as a single context. Anybody has experience with this tool.
From version 8.3 onwards there is no nat-control command, so in my FWSM i have plenty of connection between the Vlan interfaces with only access-list so If there is no NAT rule matching the incoming packet, does the packet get dropped, or simply passed through as is?
http://www.cisco.com/en/US/docs/security/asa/migration/fwsm/fwsm2asasm.html
Thanks

Hi,
You need to create an empty .txt file in the directory which you select and add the file name in the path of the directory manually.
This will successfully convert the configuration.
For Ex:- If you select the directory as:-
C:\Users\Desktop
Then go ahead and create an emapty file with .txt extension (file.txt) and manually add the filename in the output file space:-
C:\Users\Desktop\file.txt
I tried this and it worked.
Thanks and Regards,
Vibhor Amrodia

Cisco IPS 4200 Series Feature

Does the Cisco IPS 4200 can support RADIUS for user authentication?
Does the Cisco IPS 4200 can support SYSLOG for sending logging to outside?

Are you kidding me? Then how do you explain
the fact that security devices such as
checkpoint and ASA firewalls are allowed
authentication via tacacs/radius and you can
send syslog back to a syslog server. Normally
the information is got sent back via the
Command and Control (C&C) interface which
should be on a secure network in the first
place.
This is a limitation of the of the IDS itself.
I have not tried version 5.x or 6.x yet but
if they are similar to version 4.1, then
they are nothing but a Linux box. You can
"shell" into the box and install PAM on it
so that you can use external authentication
such as radius/tacacs or even LDAP.

6500 fwsm to isdm converter software

Does anyone know where fwsm_migration.exe can be found ?
ref -
http://www.cisco.com/en/US/customer/docs/security/asa/migration/fwsm/fwsm2asasm.html#wp316828

You can get it here: FWSM Migration Tool

Any tool to migrate from a Nokia/CheckPoint firewall to CISCO ASA

Would like to know if there is any tool that could help to migrate CheckPoint firewall objects and rules database to CISCO ASA equivalent ;
Could the last CISCO Security Manager product help in this process ?
thanks in advance

Joel, you may need to use a firewall analyser or fw auditing tools to retreave fw rules from Nokia/Fw-1 in a legibel format like using LFA, but you still need to manually entered the configuration into ASA.
Check this link and look for (LFA) Lumeta firewall analyser, they work along with checkpoint..
http://www.lumeta.com/
Also reference this thread, it may help.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7e5c4
HTH
Jorge

Site to site VPN between cisco asa 5550 and checkpoint r75

Hi all ,
below is cisco asa config for our customer end:
crypto ipsec transform-set chello-transform esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
What should i configure on checkpoint for first phase and second phase ?
Regards,
Suhail

In checkpoint VPN community, default setting for phase 1 is 86400 seconds so you're good there. Phase II default is 28,800 so you need to edit the parameter and change it to 3600. the rest is the same as cisco with the exception of the lifetime in kilobytes which CP does not have
Easy right?

Migration ASA 8.6.1.10 to 9.0.2

My question is:
are there any specfic migration paths from ASA release 8.6 to 9.0
I have observed that no migration is done for the object ANY to ANY4
I have observerd that migration is done from ASA 8.4.6 to 9.0

Hi,
To my understanding the 8.6 software level is basically the starting software level of the new ASA5500-X series
I guess you could consider 8.3 or 8.4 the first new softwares of the original ASA5500 series.
With that being said it would seem to me that if you have an ASA5500-X series device that there is not really any software jump you can do from 8.6 other than to 9.0 or 9.1 series software.
I have mostly switched between 8.x and 9.x software on my test ASAs and have not faced any problems so far.
It would seem strange to me that no ACL migration would be done from 8.6 to 9.0? The Release notes does suggest that this should happen. i do have a new ASA5515-X but havent had the time to test it much yet.
- Jouni

Quick question re: migration of nat exemption from asa pre-8.2 to post-8.2

I am going through http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.pdf and I have a question about nat exemption. According to the guide above, the migration of nat exemption will look like this:
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
object network obj-vLan201
subnet vLan201 255.255.255.0
object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
My question is this: if acl inside_nat0_outbound has multiple ACEs, does the migrated configuration contain a separate "nat (inside,any)" statement for each ACE in the original pre-8.3 config, like this?
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.252.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip vLan201 255.255.255.0 172.19.253.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
object network obj-vLan201
subnet vLan201 255.255.255.0
object network obj-172.19.252.0
subnet 172.19.252.0 255.255.255.0
object network obj-172.19.253.0
subnet 172.19.253.0 255.255.255.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.252.0 obj-172.19.252.0
nat (inside,any) source static obj-vLan201 obj-vLan201 dest static obj-172.19.253.0 obj-172.19.253.0
Our current acl has about twenty entries, which would make for twenty nat statements, if this is right.
Thanks,
-Mathew

Hi,
Default behaviour for NAT past 8.2 software level is to let traffic flow through the ASA without NAT. Before that "nat-control" setting on the ASA defined if the traffic needed a NAT configuration or not.
If your NAT0 / NAT Exempt configurations contain statements meant for VPN connections then you have to make new ones for those.
Are the entries in your old NAT0 configurations meant for traffic between different networks in your own LAN or are they meant for different VPN connections? Or perhaps both.
But as you said, moving to the new software does mean that even some simple NAT configuration will now contain more configurations than in the old software.
- Jouni

Checkpoint to ASA migration

Similar Messages

Maybe you are looking for