topic Re: Migration for Cisco ASA to PAN: Security rules based on DNAT in Expedition Discussions

Migration for Cisco ASA to PAN: Security rules based on DNAT

Tim_Adelmann — Tue, 18 Oct 2022 11:37:30 GMT

Hey everyone,

I am currently trying to migrate a configuration of a Cisco ASA to PAN using Expedition.

Unfortunately, the tool is not properly migrating the NAT and corresponding security rules.

One example:

We have a NAT rule that translates the public IP (1.2.3.4) to the private IP (10.1.1.1).

In ASA the security policies are using the post-NAT IPs so the security policy says (Untrust Any -> DMZ 10.1.1.1 allow).

To achieve the same in PAN ruleset the pre-NAT IP should be used (Untrust Any -> DMZ 1.2.3.4 allow), which does not happen in Expedition.

It creates on security rule similar to the ASA rule with the post-NAT IP.

And, even stranger, it creates additional security rules with name prefix "DNAT", the pre-NAT IP as Destination but with Source-IPs that are not related to this traffic at all.

In the example above, the ASA has the "Untrust Any -> DMZ 10.1.1.1 allow" rule.

Expedition creates:

1. Name: abc123 -> Untrust Any -> DMZ 10.1.1.1 allow

2. Name: DNATxzy123 -> VPN 10.5.0.0/24 -> DMZ 1.2.3.4 allow

3. Name: DNATdef567 -> DMZ2 10.2.0.0/24 -> DMZ 1.2.3.4 allow

and some more rules like that.

To me it looks like Expedition takes the NAT rule from ASA and creates "DNAT"-security rules based on all the ASA security rules that could potentially match for the post-NAT IP.

But this is really not helpful.

And the worst part of it:

The rule that is really needed to allow the traffic (Untrust Any -> DMZ 1.2.3.4 allow) is not created by Expedition.

What am I doing wrong here?

Thanks,

Tim

Re: Migration for Cisco ASA to PAN: Security rules based on DNAT

lychiang — Tue, 18 Oct 2022 15:49:02 GMT

@Tim_Adelmann what version of expedition are you using? If you have a destination NAT rule, expedition reads the NAT rule and create a matching security rules tag with "DNAT" , the destination address is auto corrected by expedition , in your case , the destination in security policy should be auto corrected as pre-nat IP . For the security policy that has destination IP with post-nat IP, that could be you have a security policy in asa config and expedition just migrated it as is. In the "Monitor" -"Migration Log", you can review changes expedition done. Also in the NAT rule , there is a matching security rule and warning tab , you can see more details message.

Re: Migration for Cisco ASA to PAN: Security rules based on DNAT

Tim_Adelmann — Wed, 19 Oct 2022 06:30:38 GMT

@lychiang I am using Expedition 1.2.40.

Unfortunately the security rules with "DNAT" tag do not match the NAT policy.

The NAT policy has source "any" but the auto-created security policies are using sources from other security policies that are existing in the ruleset and not related to the NAT policy.

Re: Migration for Cisco ASA to PAN: Security rules based on DNAT

lychiang — Wed, 19 Oct 2022 14:54:35 GMT

Hi @Tim_Adelmann we will need the original Cisco ASA config for reviewing the issues, can you please write email to fwmigrate@paloaltonetworks.com . Thank you

Re: Migration for Cisco ASA to PAN: Security rules based on DNAT

Tim_Adelmann — Thu, 20 Oct 2022 06:06:51 GMT

Hi @lychiang, I will check with my customer, if I am okay to share the ASA config with you.