Helpful ReplyHot!Migrate Cisco ASA to FortiGate

Author
Ydaew
Bronze Member
  • Total Posts : 30
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/30 05:06:21
  • Status: offline
2019/08/24 21:53:20 (permalink)
0

Migrate Cisco ASA to FortiGate

Hello, 
Since FortiConverter is not a free tool, any advise for migrating from Cisco ASA to FortiGate smoothly? 
 
 
#1
boneyard
Gold Member
  • Total Posts : 158
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/08/26 05:57:30 (permalink)
0
depending on when you bought the FortiGate FortiConverter is a free service.
 
but if that isn't an option then you best understand what the ASA does very well. then it is not that hard to configure the FortiGate in a similar way if you understand FortiGate also. if there is an issue with understanding one of them look for assistance, that will probably also come with a price.
 
 
#2
Ydaew
Bronze Member
  • Total Posts : 30
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/30 05:06:21
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/08/26 06:01:29 (permalink)
0
boneyard
depending on when you bought the FortiGate FortiConverter is a free service.
 

 
You mean we can ask for this product for free? since equipments has been purchased recently
 
 
 
 



#3
boneyard
Gold Member
  • Total Posts : 158
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/08/26 06:21:00 (permalink)
0
not the product, but a forticonverter service is available.
 
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiConverter.pdf
 
unfortunately i now see it is a purchased service also, probably cheaper then the forticonverter license, which is quite affordable and probably easier to purchase when you buy the equipment then later.
 
#4
Ydaew
Bronze Member
  • Total Posts : 30
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/30 05:06:21
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/08/26 06:25:21 (permalink)
0
Thank you, I'm only stuck on NAT policy migration, I think i will try to handle it since ASA NAT is a bit confusing
#5
boneyard
Gold Member
  • Total Posts : 158
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/08/26 06:35:45 (permalink)
0
yeah, that is a tricky one. ASA can NAT in too many different ways with sometimes very limited configuration.
 
with Fortinet you generally use VIPs and IP Pools for NAT. to create a good mapping you should understand what exactly is and isn't NATted on the ASA and then build the FortiGate configuration.
#6
Elthon Abreu
Bronze Member
  • Total Posts : 50
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/04/29 11:37:55
  • Location: Brazil
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/17 17:03:23 (permalink)
0
Ydaew

 
You can download the forticonverter python based free tool from support site. (Download > Product=Foriconverter > Download: / FortiConverter/ v5.00/ 5.6/ 5.6.2/ FortiConverterSetup_5.6.2_Build0541.py.exe).
 
I used a few weeks ago and it was easy peasy...
 

Elthon Abreu
FCNSA v5
#7
Ydaew
Bronze Member
  • Total Posts : 30
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/30 05:06:21
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/18 02:06:43 (permalink)
0
Elthon Abreu
 
Hi Elthon, 
I did test it before but i wasn't able to get the configuration due to a limitation related to the free version where you can just see the results and not to get the configuration file. 
Were you able to export the configuration? 
 
Thanks
#8
Elthon Abreu
Bronze Member
  • Total Posts : 50
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/04/29 11:37:55
  • Location: Brazil
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/18 07:23:02 (permalink)
0
Ydaew,
 
Did you try the Python version? 

Elthon Abreu
FCNSA v5
#9
boneyard
Gold Member
  • Total Posts : 158
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/18 23:50:42 (permalink)
0
the new (python) version is not free, both the legacy and new version require a license (which is shared between both).
 
from the release notes:
For all 3rd party conversions, you can complete a conversion and view the results in the tuning page. All other functionality is disabled until you upload the full license. In most cases, this limited functionality is sufficient to allow you to evaluate the product.
#10
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/19 01:02:00 (permalink) ☄ Helpfulby Ydaew 2019/09/19 04:38:14
0
You do not need a conversion tool in order to do NAT. Look at each NAT and apply it a central-NAT or  per-policy as required. The concept are equally the same between ciscoASA and FortiOS
 
 
 
#  DNAT rules cisco ASA
 
object network webserverdnat
 
 host 172.7.72.11
 
nat (inside,outside) static 1.0.0.111
 
 
# DNAT VIP  FGT port-forward tcp80
 
config firewall vip
 
edit webserverdnat
 
set comment "DANT TO rfc1918"
 
set extintf wan1
 
set extip 1.0.0.111
 
set mappedip 172.7.72.11
 
set portforward enable
 
set protocol tcp
 
set extport 80
 
set mapped port 80
 
end
 
 
# DNAT VIP  FGT 
 
config firewall vip
 
edit webserverdnat
 
set comment "DANT TO rfc1918"
 
set extintf wan1
 
set extip 1.0.0.111
 
set mappedip 172.7.72.11
 
end
 
 
 
 
# cisco DNAT port forward
 
object network WebServerCH3-LAMPSRV01
 
host 172.7.88.101
 
nat (inside,outside) static 1.0.0.1 service tcp 80 80
 
!
 
 
# cisco pat overload to a pool 
 
object network MYLAN
 
subnet 172.254.12.0. 255.255.255.0
 
object network SNATPOOL
 
subnet  192.0.2.1 255.255.255.255
 
nat (inside,outside) 1 source static MYLAN MYLAN destination static SNATPOOL SNATPOOL
 
 
#FortiOS CENTRAL-NAT
 
 
config firewall ippool
   edit publicpoolA
          set type overload
          set startip 192.0.2.1
          set endip   192.0.2.1
   end
 
config firewall central-snat-map
edit 1
  set orig-addr <pre-nat.src.addr>
  set dst-addr <pre-nat dst.addr>
  set nat-ippool ippool publicpoolA
end
 
 
That a few examples I can think of, just determine if you want central-net or nat within the policy.
 
Thank of central net the same as ciscoASA, Palo,Juniper,CHKP,Forcepoint NAT-tables.
 
YMMV but both are equally beneficial and easy  concepts to figure out.
 
Ken Felix

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#11
Ydaew
Bronze Member
  • Total Posts : 30
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/05/30 05:06:21
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/19 04:42:37 (permalink)
0
Thanks for the explanation, actually i have the below cases that i'm still stuck with due to have no experience in Cisco ASA NAT statements;
- nat (inside,outside) source static MYADD MYADD
- nat (inside,outside) source static PRV-SRV1 Pub-SRV2 destination static B1 B1 unidirectional
Your advise please 
Central NAT Will be used
post edited by Ydaew - 2019/09/19 04:44:25
#12
creed2981
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/09/19 09:23:00
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/19 09:28:47 (permalink)
0
i am having same problems migrating ASA NAT to FG NAT.  I used the forticonverter but i dont know how reliable it is.  If anyone has a guide it would be helpful.  It is confusing when nat involves VPN network as a destination.  Cisco has nat with (inside,outside) but would that be same on FG?  It kind of is the outside interface but on FG you make a sub interface within outside/wan for the VPN.  i already made vpn tunnel and static routes
post edited by creed2981 - 2019/09/19 13:30:08
#13
boneyard
Gold Member
  • Total Posts : 158
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/19 22:51:56 (permalink)
0
what kind of guide are you looking for? there is no exact explanation on how forticonverter takes specific ASA config and translates it. that you will need to find out by trying.
 
the problem as i see it is that ASA has a number of ways to do NAT and specially when you combine these things get complicated. but that is an ASA thing, not a FortiGate thing. so if you need a clear explanation how your ASA config works you better off on a Cisco / ASA forum.
 
on the FortiGate side it is quite simple.
  • for source NAT you use an IP Pool (type overload) or you NAT behind the interface, both are done on the firewall policy level. you do need to create the IP Pool first.
  • for destination NAT you use a virtual IP, which translates from destination IP X to destination IP Y. this is also done by first creating a VIP and then using it in a firewall policy.
 
if you need to source and destination NAT you use an IP Pool and VIP in one policy.
 
with these two elements i have able to do all the NATing i need.
 
yes there is  central NAT table option but im ignoring that, seen it used in a fraction of the cases.
#14
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Migrate Cisco ASA to FortiGate 2019/09/19 23:05:44 (permalink)
0
FWIW
 
Most migrations jobs do a sloppy job on NAT if any are translated. I personally have not use the forticonverter in since 2014 , so I do not know if any improvements have been made. You might to  just tackle these by hand and apply them as required.

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#15
Jump to:
© 2019 APG vNext Commercial Version 5.5