Security Basics mailing list archives

RE: Converting Checkpoint to ASA

From: "Lee Hilt" <lhilt () mbc edu>
Date: Sat, 2 Feb 2008 07:43:20 -0500

 
I would think that once you convert the rulesets, you would apply them to
the proper interfaces 

(I.E. firewall(config)# interface inside
(firewall(config)# access-list <name> in)
(firewall(config)# interface outside)
(firewall(config)# access-list <name> in)

Then I would generate your rsa key for ssh:

firewall(config)#crypto key generate rsa modulus <modulus_size>

the Modulus_size can be 512,768,1024, or 2048

Higher the modulus (in other words the bit-length of the key) the longer it
takes to generate the key. I use 1024.

Then ensuring you use SSHv2 only (ssh) which would be 

firewall(config)# ssh version 2

then restricting to a certain IP address or range for admin access via ssh
firewall(config)# ssh 192.168.1.0 255.255.255.0 inside (range)
firewall(config)# ssh 172.22.15.165 255.255.255.255 outside (single host)


Then configure a timeout for the ssh sessions (default is 30 which is way
too high

Firewall(config)#ssh timeout <minutes> (I use 10)



This is all assuming you have the IP addresses for the ASA's
interfaces/subinterfaces already configured. You will have either 1, 2, or 4
(I think) Gigabit interfaces depending on your model. a 5520 has 4. They all
can be broken into sub interfaces (I.E. Gigabit 0/1.1) for your use...so you
could have a DMZ1, DMZ2, Outside, and Inside interfaces.

You may then, depending on your setup and whether you will have the Firewall
on your corpnet's IP scheme or with a seperate RFC 1918 space, need to setup
internal routing for that ip address scheme through either static routes, or
OSPF. 

Dont forget NTP! (I did for a day after we upgraded.... whoops)

I hope that was the kind of stuff you were looking for with your question!


Lee Hilt


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of infolookup () gmail com
Sent: 2008-01-31 10:09
To: Cassell, Damon Z.; listbounce () securityfocus com;
security-basics () securityfocus com
Subject: Re: Converting Checkpoint to ASA

Now once you convert what's the nexy step to turn your checkpoint NG into an
ASA?
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: "Cassell, Damon Z." <dcassell () mitre org>

Date: Thu, 31 Jan 2008 15:03:39
To:<security-basics () securityfocus com>
Subject: RE: Converting Checkpoint to ASA


"Cisco Security Conversion Tool".. it will convert Check Point
databases to an ASA, PIX or FWSM config. The resulting config will need
some manual cleanup. The tool was once on the Cisco site but you may
have to open a TAC case or talk to your sales rep to find it.

Damon Cassell
MITRE


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Dave Hunt
Sent: Thursday, January 31, 2008 12:20 PM
To: Brandon Louder
Cc: infolookup () gmail com; listbounce () securityfocus com;
security-basics () securityfocus com
Subject: Re: Converting Checkpoint to ASA

I have never used it but Cisco is supposed to have a tool that will do
the conversion.

-Dave

On 1/31/08, Brandon Louder <Brandon.Louder () mckennan org> wrote:

I am very interested in hearing comments on this also as I am going
through the same issue. What version of Checkpoint are you currently
using?

-----Original Message-----
From: listbounce () securityfocus com

[mailto:listbounce () securityfocus com]

On Behalf Of infolookup () gmail com
Sent: Thursday, January 31, 2008 6:25 AM
To: listbounce () securityfocus com; security-basics () securityfocus com
Subject: Converting Checkpoint to ASA

Hello All,

I would like to know if anyone has done this before. Is it  possible

by

just getting the right IOS, I can convert my old Checkpoint to an ASA
firewall.

We recently got two new ASA at work and want to convert the old
Checkpoint and use it in our test environment.

Thanks in advance.
Sent via BlackBerry from T-Mobile


-----------------------------------------
Confidentiality Notice: This e-mail message, including any
attachments, is for the sole use of the intended recipient(s) and
may contain confidential and privileged information. Any
unauthorized review, use, disclosure, or distribution is
prohibited. If you are not the intended recipient, please contact
the sender by reply e-mail and destroy all copies of the original
message.

Current thread:

Re: Converting Checkpoint to ASA infolookup (Feb 01)
- <Possible follow-ups>
- Re: Converting Checkpoint to ASA infolookup (Feb 01)
  - RE: Converting Checkpoint to ASA Lee Hilt (Feb 04)
  - Re: Converting Checkpoint to ASA Francois Labreque (Feb 04)
- Re: Converting Checkpoint to ASA Rob Thompson (Feb 04)
  - RE: Converting Checkpoint to ASA Tony Reusser (Feb 05)