Netscreen to ASA - Quick Look

Unanswered Question
May 29th, 2008
User Badges:

Hey guys, I have attached a brief config from a NetScreen. This needs to be adapted to a new Cisco ASA. Wondering if one of you experts can take a quick look & provide guidance on any config converter tools and/or know if this can be simply translated. Thanks in advance for all responses!


- Matt



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Fri, 05/30/2008 - 05:45
User Badges:
  • Purple, 4500 points or more

Looks pretty straight forward. I don't know of any tools (maybe I should write one) that converts the config.


MIPS are equivalent to statics in an ASA.


Netscreen

set interface "ethernet4" mip xxx.x.23.52 host 192.68.123.27 netmask 255.255.255.255 vr "trust-vr"


Cisco ASA

static (inside,outside) xxx.x.23.52 192.68.123.27 netmask 255.255.255.255


The ACLs


Netscreen

set policy id 73 from "Untrust" to "Trust" "Any" "MIP(xxx.x.23.35)" "WebServer Service Grp" permit log count


Cisco ASA

access-list outside_in extended permit tcp any host xxx.x.23.35 object-group WebServer_ Service_Grp


Grouping ports & protocols


Netscreen

set group service "WebServer Service Grp"

set group service "WebServer Service Grp" add "HTTP"

set group service "WebServer Service Grp" add "HTTPS"

set group service "WebServer Service Grp" add "PING"


Cisco ASA

object-group service WebServer_Service_Grp tcp

port-object eq www

port-object eq https


Note that with object groups, you can only have TCP or UDP in a group. I'm pretty sure you can nest groups though.


Hope that helps

Actions

This Discussion