search

GoSecure / Cisco2Checkpoint

Tool that assists in migrating firewall rules from Cisco to Checkpoint. Will optimize rules for you (rationalization, reuse merging, etc.).
http://gosecure.net/2017/01/30/cisco2checkpoint-cisco-checkpoint-conversion-tool/
GNU General Public License v3.0
21 stars 11 forks source link

cisco asa: network mask issue #9

Open mjardeli opened 7 years ago

mjardeli commented 7 years ago

Hi Martin,

Sorry to send so much things over to you. When a network is new loading an ACL, seems netmask is being incorrectly interpreted. Try to process the following config line: access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4

result: CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=) ACLRule(name=FromInside,src=N_1.5.0.8-3,dst=any,port=any,action=deny,pol=My_Policy,inst=My_Firewall,disabled=False,desc=) Desc: Src: CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=) Dst: CiscoAnyHost(name=any,ipAddr=None,desc=,alias=) Port: CiscoAnyPort(name=any,port=0,desc=,alias=) Verify: <ASAAclLine # 0 'access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4'>

kind regards,

martindube commented 7 years ago

That is possible. I think it was caused by a policy in the past which had hostmasks instead of netmasks. I know that cisco supports both but I don't know in which context.

Can you make a test by changing hostmask2netmask function in lib/cisco2checkpoint.py (line 262) by:

def hostmask2netmask(self,hostmask): return hostmask

If it works, I will need to understand when hostmasks and netmasks are used before fixing the code.

On Tue, Apr 25, 2017 at 1:33 PM, mjardeli notifications@github.com wrote:

Hi Martin,

Sorry to send so much things over to you. When a network is new loading an ACL, seems netmask is being incorrectly interpreted. Try to process the following config line: access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4

result: CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=) ACLRule(name=FromInside,src=N_1.5.0.8-3,dst=any,port=any, action=deny,pol=My_Policy,inst=My_Firewall,disabled=False,desc=) Desc: Src: CiscoNet(name=N_1.5.0.8-3,ipAddr=1.5.0.8/0.0.0.7,desc=,alias=) Dst: CiscoAnyHost(name=any,ipAddr=None,desc=,alias=) Port: CiscoAnyPort(name=any,port=0,desc=,alias=) Verify: <ASAAclLine # 0 'access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4'>

kind regards,

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/GoSecure/Cisco2Checkpoint/issues/9, or mute the thread https://github.com/notifications/unsubscribe-auth/AECtws7QMwccsW-lyP-Q3fa0NCc9Zoqqks5rzi6EgaJpZM4NH0Cl .

-- Mart

mjardeli commented 7 years ago

Worked! I replaced: def hostmask2netmask(self,hostmask): mask_bytes = hostmask.split('.',3) mask_bytes = [str(int(b) ^ 255) for b in mask_bytes] return '.'.join(mask_bytes) with: def hostmask2netmask(self,hostmask): return hostmask

now result is normal: CiscoNet(name=N_1.5.0.8-29,ipAddr=1.5.0.8/255.255.255.248,desc=,alias=) ACLRule(name=FromInside,src=N_1.5.0.8-29,dst=any,port=any,action=deny,pol=My_Policy,inst=My_Firewall,disabled=False,desc=) Desc: Src: CiscoNet(name=N_1.5.0.8-29,ipAddr=1.5.0.8/255.255.255.248,desc=,alias=) Dst: CiscoAnyHost(name=any,ipAddr=None,desc=,alias=) Port: CiscoAnyPort(name=any,port=0,desc=,alias=) Verify: <ASAAclLine # 0 'access-list FromInside extended deny ip 1.5.0.8 255.255.255.248 any4'>

cheers,

mjardeli commented 7 years ago

I tried to find when to use wildcard or netmask. All references to wildcard are old some of then more then 10 years. Maybe this was the old way to configure, need to research more.

My suggestion is to create another modifier and user can change it on command line at start.