Security Basics mailing list archives
RE: Converting Checkpoint to ASA
From: "Lee Hilt" <lhilt () mbc edu>
Date: Sat, 2 Feb 2008 07:43:20 -0500
I would think that once you convert the rulesets, you would apply them to the proper interfaces (I.E. firewall(config)# interface inside (firewall(config)# access-list <name> in) (firewall(config)# interface outside) (firewall(config)# access-list <name> in) Then I would generate your rsa key for ssh: firewall(config)#crypto key generate rsa modulus <modulus_size> the Modulus_size can be 512,768,1024, or 2048 Higher the modulus (in other words the bit-length of the key) the longer it takes to generate the key. I use 1024. Then ensuring you use SSHv2 only (ssh) which would be firewall(config)# ssh version 2 then restricting to a certain IP address or range for admin access via ssh firewall(config)# ssh 192.168.1.0 255.255.255.0 inside (range) firewall(config)# ssh 172.22.15.165 255.255.255.255 outside (single host) Then configure a timeout for the ssh sessions (default is 30 which is way too high Firewall(config)#ssh timeout <minutes> (I use 10) This is all assuming you have the IP addresses for the ASA's interfaces/subinterfaces already configured. You will have either 1, 2, or 4 (I think) Gigabit interfaces depending on your model. a 5520 has 4. They all can be broken into sub interfaces (I.E. Gigabit 0/1.1) for your use...so you could have a DMZ1, DMZ2, Outside, and Inside interfaces. You may then, depending on your setup and whether you will have the Firewall on your corpnet's IP scheme or with a seperate RFC 1918 space, need to setup internal routing for that ip address scheme through either static routes, or OSPF. Dont forget NTP! (I did for a day after we upgraded.... whoops) I hope that was the kind of stuff you were looking for with your question! Lee Hilt -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of infolookup () gmail com Sent: 2008-01-31 10:09 To: Cassell, Damon Z.; listbounce () securityfocus com; security-basics () securityfocus com Subject: Re: Converting Checkpoint to ASA Now once you convert what's the nexy step to turn your checkpoint NG into an ASA? Sent via BlackBerry from T-Mobile -----Original Message----- From: "Cassell, Damon Z." <dcassell () mitre org> Date: Thu, 31 Jan 2008 15:03:39 To:<security-basics () securityfocus com> Subject: RE: Converting Checkpoint to ASA "Cisco Security Conversion Tool".. it will convert Check Point databases to an ASA, PIX or FWSM config. The resulting config will need some manual cleanup. The tool was once on the Cisco site but you may have to open a TAC case or talk to your sales rep to find it. Damon Cassell MITRE -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dave Hunt Sent: Thursday, January 31, 2008 12:20 PM To: Brandon Louder Cc: infolookup () gmail com; listbounce () securityfocus com; security-basics () securityfocus com Subject: Re: Converting Checkpoint to ASA I have never used it but Cisco is supposed to have a tool that will do the conversion. -Dave On 1/31/08, Brandon Louder <Brandon.Louder () mckennan org> wrote:
I am very interested in hearing comments on this also as I am going through the same issue. What version of Checkpoint are you currently using? -----Original Message----- From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of infolookup () gmail com Sent: Thursday, January 31, 2008 6:25 AM To: listbounce () securityfocus com; security-basics () securityfocus com Subject: Converting Checkpoint to ASA Hello All, I would like to know if anyone has done this before. Is it possible
by
just getting the right IOS, I can convert my old Checkpoint to an ASA firewall. We recently got two new ASA at work and want to convert the old Checkpoint and use it in our test environment. Thanks in advance. Sent via BlackBerry from T-Mobile ----------------------------------------- Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
Current thread:
- Re: Converting Checkpoint to ASA infolookup (Feb 01)
- <Possible follow-ups>
- Re: Converting Checkpoint to ASA infolookup (Feb 01)
- RE: Converting Checkpoint to ASA Lee Hilt (Feb 04)
- Re: Converting Checkpoint to ASA Francois Labreque (Feb 04)
- Re: Converting Checkpoint to ASA Rob Thompson (Feb 04)
- RE: Converting Checkpoint to ASA Tony Reusser (Feb 05)