01-16-2019 11:59 AM - edited 01-16-2019 12:07 PM
I am working on a migration/upgrade project to take a Cisco 2901 router and repalce with a PA-220. I'm not sure how to configure some items. Here are some of the existing Cisco router config that I need help with on how to replicate in the 220:
ip nat pool GUEST 10.253.84.123 10.253.84.123 netmask 255.255.255.248 ***note, redacted public IP address ***
ip nat inside source static tcp 10.47.20.105 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 10.47.20.105 3389 interface GigabitEthernet0/1 3390
ip nat inside source route-map GUEST_NAT pool GUEST overload
ip nat inside source route-map NAT interface GigabitEthernet0/1 overload
ip nat inside source static 10.47.5.22 172.16.221.33 route-map 2EDF
ip nat inside source static 10.47.5.21 172.16.221.34 route-map 2EDF
ip nat inside source static 10.47.28.100 172.16.221.35 route-map 2EDF
ip nat inside source static 10.47.20.22 172.16.221.36 route-map 2EDF
ip nat inside source static 10.47.20.5 172.16.221.37 route-map 2EDF
ip nat inside source static 10.47.20.11 172.16.221.38 route-map 2EDF
ip nat inside source static 10.47.20.12 172.16.221.39 route-map 2EDF
ip nat inside source static 10.47.20.26 172.16.221.40 route-map 2EDF
ip nat inside source static 10.47.20.27 172.16.221.41 route-map 2EDF
ip nat inside source static 10.47.20.50 172.16.221.42 route-map 2EDF
ip nat inside source static 10.47.20.51 172.16.221.43 route-map 2EDF
!
ip access-list extended GUEST_NATING
remark * Permit IP from misc inside networks to EDF corporate networks over VPN
permit ip object-group MISC-INSIDE-Networks object-group EDF-Remote-Networks-For-Internal-Access
remark * Permit IP from data network to server network - 2018-04-13_DD
permit ip 10.47.50.0 0.0.0.255 10.47.20.0 0.0.0.255
ip access-list extended OUTSIDE_NETS
remark ***** Change Log
remark ***** 2018-04-03_DD - ACL Created
remark ***** 2018-04-04_DD - Added EDF OCC lines
remark ***** 2018-04-05_DD - Added ThirdParty permit
remark ***** 2018-04-19_DD - Modified ThirdParty access to be specific to router
remark ***** 2018-04-20_DD - Added TCP:3390 access to ThirdParty PC translation
remark ****** GENERAL ********
remark *** Permit ICMP from ANY to ANY
permit icmp any any
remark ****** NETWORK MANAGEMENT ****
remark * IP from SET Public networks
permit ip object-group EASE-SET_Public_Networks any
remark ****** VPN ******
remark ** IP from VPN endpoints
permit ip object-group VPN_Endpoints any
remark **** APPLICATIONS ******
remark * IP from EDF OCC networks - 2018-04-04_DD
permit ip 172.16.200.0 0.0.0.255 any
permit ip 172.16.202.0 0.0.0.255 any
permit ip 172.16.207.0 0.0.0.255 any
permit ip 172.16.208.0 0.0.0.255 any
remark * TCP:443/OpenVPN and RDP on TCP:3390 from ThirdParty server @ router-01 - 2018-04-20_DD
permit tcp object-group Whitelisted-Hosts-ThirdParty host XXX.XXX.XXX.XXX eq 443
permit tcp object-group Whitelisted-Hosts-ThirdParty host XXX.XXX.XXX.XXX eq 3390
remark *** Deny everything else
deny ip any any
ip access-list extended SERVER_NET
remark ***** Change Log
remark ***** 2018-04-04_DD - ACL Created
remark ***** 2018-04-13_DD - Added access to EDF corporate network over VPN
remark ***** 2018-05-14_DD - Added access from ThirdParty PC to Vendor WPS DB server | SET TID 2341
remark ***** 2018-05-14_DD - Added access from ThirdParty PC to Vendor WPS Online server | SET TID 2341
remark ***** 2018-05-18_DD - Added access from ThirdParty PC to RTAC | SET TID 2364
remark ****** GENERAL ********
permit udp any any eq bootps
remark *** Permit ICMP from ANY to ANY
permit icmp any any
remark * permit NTP from subnet to any [server time sync]
permit udp 10.47.20.0 0.0.0.255 any eq ntp
permit tcp 10.47.20.0 0.0.0.255 any eq 123
remark ****** APPLICATIONS ********
remark * permit specific ports from subnet to specific Vendor devices
permit tcp 10.47.20.0 0.0.0.255 host 10.47.28.100 eq www
permit tcp 10.47.20.0 0.0.0.255 host 10.47.28.102 eq www
permit tcp 10.47.20.0 0.0.0.255 host 10.47.28.102 eq 1433
permit tcp 10.47.20.0 0.0.0.255 host 10.47.28.100 eq 21379
remark * permit Modbus access from specific servers to specific Vendor devices
permit tcp host 10.47.20.22 host 10.47.28.104 eq 502
permit tcp host 10.47.20.22 host 10.47.28.105 eq 502
permit tcp host 10.47.20.22 host 10.47.28.100 eq 502
permit tcp host 10.47.20.23 host 10.47.28.100 eq 502
permit tcp host 10.47.20.23 host 10.47.28.104 eq 502
permit tcp host 10.47.20.23 host 10.47.28.105 eq 502
permit tcp host 10.47.20.24 host 10.47.28.105 eq 502
permit tcp host 10.47.20.24 host 10.47.28.104 eq 502
permit tcp host 10.47.20.24 host 10.47.28.100 eq 502
remark * permit specific TCP access from subnet to specific substation devices
remark * HMI PC access
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.21 eq 3389
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.21 eq 445
remark * RTAC access
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.22 eq 443
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.22 eq 1217
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.22 eq 20000
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.22 eq 22
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.22 range 5432 5433
remark * Meter access
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.23 eq telnet
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.24 eq telnet
remark * DFR access
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.25 eq 2000
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.25 eq 7631
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.25 eq 1023
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.25 eq 1081
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.25 eq 4712
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.25 eq ftp
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.25 eq telnet
remark * Additional RTAC access
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.22 range 2001 2027
permit tcp 10.47.20.0 0.0.0.255 host 10.47.5.22 range 3001 3027
remark * permit specific TCP access from specific servers to specific substation devices
remark * Additional RTAC access
permit tcp host 10.47.20.26 host 10.47.5.22 eq 5000
permit tcp host 10.47.20.26 host 10.47.5.22 eq 55005
permit tcp host 10.47.20.26 host 10.47.5.22 eq 56005
permit tcp host 10.47.20.26 host 10.47.5.22 eq 3064
remark * Additional DFR access from specific server
permit ip host 10.47.20.26 host 10.47.5.25
remark * Additional RTAC access from specific server
remark * Permit IP from subnet to EDF corporate networks over VPN - 2018-04-13_DD
permit ip 10.47.20.0 0.0.0.255 object-group EDF-Remote-Networks-For-Internal-Access
remark * Permit TCP:1433[SQL] from ThirdParty PC to Vendor WPS DB Server - 2018-05-14_DD | SET TID 2341
permit tcp host 10.47.20.105 host 10.47.28.101 eq 1433
remark * Permit TCP:21379 from ThirdParty PC to Vendor WPS Online Server - 2018-05-14_DD | SET TID 2341
permit tcp host 10.47.20.105 host 10.47.28.100 eq 21379
remark * Permit TCP:1047 [MODBUS] from ThirdParty PC to RTAC - 2018-05-18_DD | SET TID 2364
permit tcp host 10.47.20.105 host 10.47.5.22 eq 1024
remark ****** Deny IP from subnet to all other private networks
deny ip 10.47.20.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.47.20.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.47.20.0 0.0.0.255 172.16.0.0 0.15.255.255
remark ****** Permit IP from entire subnet to any-else [unrestricted Internet access]
permit ip 10.47.20.0 0.0.0.255 any
remark ***** 2018-07-18_SR - Added Access from CLIR to Vendor WPS DB server | SET TID 2342
remark ***** 2018-07-18_SR - Added Access from CLIR to Vendor WPS Online server | SET TID 2342
remark * Permit TCP:1433[SQL] from CLIR to Vendor WPS DB Server - 2018-07-18_SR | SET TID 2342
permit tcp host 172.31.41.140 host 10.47.28.101 eq 1433
ip access-list extended Vendor-TRANSIT_NET
remark ***** Change Log
remark ***** 2018-04-04_DD - ACL Created
remark ****** GENERAL ********
remark *** Permit ICMP from ANY to ANY
permit icmp any any
remark *** Permit MODBUS from select Vendor devices to RTAC
permit tcp host 10.47.28.104 host 10.47.5.22 eq 502
permit tcp host 10.47.28.105 host 10.47.5.22 eq 502
permit tcp host 10.47.28.100 host 10.47.5.22 eq 502
permit ip host 10.47.28.104 object-group EDF-Remote-Networks-For-Vendor-Access
permit ip host 10.47.28.105 object-group EDF-Remote-Networks-For-Vendor-Access
permit ip host 10.47.28.100 object-group EDF-Remote-Networks-For-Vendor-Access
permit ip host 10.47.28.100 object-group EDF-Local-Networks-For-Vendor-Access
remark ****** Deny IP from entire subnet to private networks
deny ip 10.47.28.0 0.0.3.255 10.0.0.0 0.255.255.255
deny ip 10.47.28.0 0.0.3.255 192.168.0.0 0.0.255.255
deny ip 10.47.28.0 0.0.3.255 172.16.0.0 0.15.255.255
remark ****** Permit IP from entire subnet to any-else [unrestricted Internet access]
permit ip 10.47.28.0 0.0.3.255 any
ip access-list extended SUBSTATION-CONTROL_NET
remark ***** Change Log
remark ***** 2018-04-03_DD - ACL Created
remark ****** GENERAL ********
remark *** Permit ICMP from ANY to ANY
permit icmp any any
remark ****** GENERAL ********
remark * MODBUS access from HMI PC / RTAC to select Vendor devices
permit tcp host 10.47.5.21 host 10.47.28.104 eq 502
permit tcp host 10.47.5.21 host 10.47.28.105 eq 502
permit tcp host 10.47.5.22 host 10.47.28.105 eq 502
permit tcp host 10.47.5.22 host 10.47.28.104 eq 502
permit tcp host 10.47.5.22 host 10.47.28.100 eq 502
permit tcp host 10.47.5.21 host 10.47.28.100 eq 502
ip access-list extended WIRELESS-GUEST_NET
remark ***** Change Log
remark ***** 2018-04-03_DD - ACL Created
remark ***** 2018-04-04_DD - adapted lines to be subnet-specific, added remarks, renamed ACL
remark ****** GENERAL ********
remark * permit DHCP requests
permit udp any any eq bootps
remark *** Permit ICMP from ANY to ANY
permit icmp any any
remark ****** Applications ****
remark * permit IP from entire subnet to printer
permit ip 10.47.55.0 0.0.0.255 host 10.47.50.20
remark ****** Deny IP from entire subnet to private networks
deny ip 10.47.55.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.47.55.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.47.55.0 0.0.0.255 172.16.0.0 0.15.255.255
remark ****** Permit IP from entire subnet to any-else [unrestricted Internet access]
permit ip 10.47.55.0 0.0.0.255 any
ip access-list extended WIRELESS-INTERNAL_NET
remark ***** Change Log
remark ***** 2018-04-03_DD - ACL Created
remark ***** 2018-04-13_DD - Added HSRP access, access to corporate network [across VPN]
remark ****** GENERAL ********
remark * permit DHCP requests
permit udp any any eq bootps
remark *** Permit ICMP from ANY to ANY
permit icmp any any
remark ****** Permit IP from entire subnet to any [unrestricted internal/Internet access]
permit ip 10.47.52.0 0.0.0.255 any
route-map GUEST_NAT permit 10
match ip address GUEST_NATING
!
route-map NAT permit 10
match ip address NATING
!
route-map 2EDF permit 10
match ip address 105
access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.200.0 0.0.0.255
access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.202.0 0.0.0.255
access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.207.0 0.0.0.255
access-list 101 permit ip 172.16.221.32 0.0.0.15 172.16.208.0 0.0.0.255
access-list 105 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
If anyone can point me to how to translate some of this to the PA-220, or give me an example, I'd really appreaciate it. I've worked on Cisco routers enough to be familiar with the syntax and how to set up the above config, but I don't quite know how it translates to Paloalto. Also, to my chargin, the Expidition migration tool does not migrate a router, only firewalls 🙂 (I suppose that makes sense, but I wish it did).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
