Moving from Cisco ASA

BOFH.net

Hey everyone -

I' am currently in the process of changing our Cisco asa 5512x Firewalls with Pfsense

• SOfar it worked good for our Branch office, and now I have come to the Corefirewalls in our hostingcenter - ( alot more rules and stuff)
  ( These are undocumented( off course:-))  so I'm going forward quite slowly, and test when ever I have a maint. Window

• Pretty basic question I suppose, BUT nevertheless here it:

I would like to do the attached Asa rule in pfsense, Is this correct?  do I need "bothways" under firewall rules as my other picture or do it in a Mapping under eks. Nat Outbound Outbound MAP.

Maybe someone can help me explain it? … if it makes sense -

How would you do this rule in pfsense

Thanks Alot:-)

And great forum BTW

Christian

dotdash

That's maybe a NONAT rule for an IPSec tunnel? Are those the local subnet and the remote subnet?
If so, you don't need that on pfSense. Your traffic traverses the tunnel, not the WAN itself, so it doesn't hit the standard NAT rules.
PIX/ASA stuff is much more readable (at least in my opinion) if you dump the config to a text file.

BOFH.net

Hi Dotdash

Thanks for your reply - Yes its actually remote lan from two different ipsec tunnels to/on azure.

and thanks for clearing it out - now

I will have a look at the config for the rest of the rules, because the NAT rules / (Not Access rules in Asa ASDM, I figured them out( Proud smiley)

question? so if I want ex. my Lan to access the subnet on my ipsec rules, I should just create a rule from lan to Ipsec and another on the Ipsec to lan right?

I will make a dump of the config because the ASDM is getting on my nerves :o :o

Thanks Again

dotdash

The standard LAN rules allow the traffic, so unless you have locked down outgoing traffic from the LAN, you don't need to add anything.
You will need to add a rule allowing the incoming traffic on the IPSEC tab. You can add an any any for the equivalent of  the old Cisco sysopt connection permit-ipsec directive. (Maybe that was only on PIX and early ASAs)

BOFH.net

Ok so do I understand this correctly

Take my Lan rules for example:
(attached)

• the first rule is sufficient? I dont need to have lan to Azurenets f.eks( the remote lans earlier stated) this would be taken care of by the standard Lan rules ,correct?
  because I allow from LANMan TO everything on top rjule

thx again

This would be the last question…. I hope:-)


kpa

The first rule already allows all to all so the last three rules will never be matched by traffic. PfSense rules are first match wins and rules after the first matching rule are ignored.

BOFH.net

Glad to get it sorted out !

Thanks for your help dotdash