I am currently trying to migrate a configuration of a Cisco ASA to PAN using Expedition.
Unfortunately, the tool is not properly migrating the NAT and corresponding security rules.
We have a NAT rule that translates the public IP (22.214.171.124) to the private IP (10.1.1.1).
In ASA the security policies are using the post-NAT IPs so the security policy says (Untrust Any -> DMZ 10.1.1.1 allow).
To achieve the same in PAN ruleset the pre-NAT IP should be used (Untrust Any -> DMZ 126.96.36.199 allow), which does not happen in Expedition.
It creates on security rule similar to the ASA rule with the post-NAT IP.
And, even stranger, it creates additional security rules with name prefix "DNAT", the pre-NAT IP as Destination but with Source-IPs that are not related to this traffic at all.
In the example above, the ASA has the "Untrust Any -> DMZ 10.1.1.1 allow" rule.
1. Name: abc123 -> Untrust Any -> DMZ 10.1.1.1 allow
2. Name: DNATxzy123 -> VPN 10.5.0.0/24 -> DMZ 188.8.131.52 allow
3. Name: DNATdef567 -> DMZ2 10.2.0.0/24 -> DMZ 184.108.40.206 allow
and some more rules like that.
To me it looks like Expedition takes the NAT rule from ASA and creates "DNAT"-security rules based on all the ASA security rules that could potentially match for the post-NAT IP.
But this is really not helpful.
And the worst part of it:
The rule that is really needed to allow the traffic (Untrust Any -> DMZ 220.127.116.11 allow) is not created by Expedition.
What am I doing wrong here?
... View more