Netscreen to ASA - Quick Look

Unanswered Question
May 29th, 2008
User Badges:

Hey guys, I have attached a brief config from a NetScreen. This needs to be adapted to a new Cisco ASA. Wondering if one of you experts can take a quick look & provide guidance on any config converter tools and/or know if this can be simply translated. Thanks in advance for all responses!

- Matt

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Fri, 05/30/2008 - 05:45
User Badges:
  • Purple, 4500 points or more

Looks pretty straight forward. I don't know of any tools (maybe I should write one) that converts the config.

MIPS are equivalent to statics in an ASA.


set interface "ethernet4" mip xxx.x.23.52 host netmask vr "trust-vr"

Cisco ASA

static (inside,outside) xxx.x.23.52 netmask

The ACLs


set policy id 73 from "Untrust" to "Trust" "Any" "MIP(xxx.x.23.35)" "WebServer Service Grp" permit log count

Cisco ASA

access-list outside_in extended permit tcp any host xxx.x.23.35 object-group WebServer_ Service_Grp

Grouping ports & protocols


set group service "WebServer Service Grp"

set group service "WebServer Service Grp" add "HTTP"

set group service "WebServer Service Grp" add "HTTPS"

set group service "WebServer Service Grp" add "PING"

Cisco ASA

object-group service WebServer_Service_Grp tcp

port-object eq www

port-object eq https

Note that with object groups, you can only have TCP or UDP in a group. I'm pretty sure you can nest groups though.

Hope that helps


This Discussion