topic Re: ASA to PAN - Security Rule Based on pre-NAT Issue in Expedition Discussions

ASA to PAN - Security Rule Based on pre-NAT Issue

ROHO — Wed, 07 Nov 2018 22:20:50 GMT

Not sure if anyone else ran into this.

ASA's security policies are built based on post-NAT rules (post 8.3 OS)

With the tool, it builds the same rules with the post-NAT rules, private IP ... which will not work with PAN as the rule is built based on post-NAT, public IP.

Is there an option in the tool to convert the IP to pre-NAT?

Re: ASA to PAN - Security Rule Based on pre-NAT Issue

sjanita — Thu, 08 Nov 2018 04:04:27 GMT

The migration should have used the post-NAT IP as the destination address in a corresponding security policy.

If you open the NAT rule then open the 'Security Rules Match' does the security policy show the pre or post NAT IP address?

Re: ASA to PAN - Security Rule Based on pre-NAT Issue

ROHO — Thu, 08 Nov 2018 04:43:10 GMT

The migration tool is building the security policy based on the private IP, post-NAT.

PAN matches based on pre-NAT, public IP.

In the NAT rule, the Security Rules Match does not have an entry. The first 4 reviewed has the same behavior.

What's interesting is that the migration tool prepends the NAT rule name with "Nat Twice" Not sure if there is a reasoning for it.

Re: ASA to PAN - Security Rule Based on pre-NAT Issue

sjanita — Sat, 10 Nov 2018 12:06:32 GMT

NAT-twice indicates its likely a bi-directional NAT rule learned from the ASA config. If you can share you config to:

fwmigrate@paloaltonetworks.com I can look at it.