Netscreen to ASA - Quick Look

matthew.scala · ‎05-29-2008

Hey guys, I have attached a brief config from a NetScreen. This needs to be adapted to a new Cisco ASA. Wondering if one of you experts can take a quick look & provide guidance on any config converter tools and/or know if this can be simply translated. Thanks in advance for all responses!

- Matt

Collin Clark · ‎05-30-2008

Looks pretty straight forward. I don't know of any tools (maybe I should write one) that converts the config.

MIPS are equivalent to statics in an ASA.

Netscreen

set interface "ethernet4" mip xxx.x.23.52 host 192.68.123.27 netmask 255.255.255.255 vr "trust-vr"

Cisco ASA

static (inside,outside) xxx.x.23.52 192.68.123.27 netmask 255.255.255.255

The ACLs

Netscreen

set policy id 73 from "Untrust" to "Trust" "Any" "MIP(xxx.x.23.35)" "WebServer Service Grp" permit log count

Cisco ASA

access-list outside_in extended permit tcp any host xxx.x.23.35 object-group WebServer_ Service_Grp

Grouping ports & protocols

Netscreen

set group service "WebServer Service Grp"

set group service "WebServer Service Grp" add "HTTP"

set group service "WebServer Service Grp" add "HTTPS"

set group service "WebServer Service Grp" add "PING"

Cisco ASA

object-group service WebServer_Service_Grp tcp

port-object eq www

port-object eq https

Note that with object groups, you can only have TCP or UDP in a group. I'm pretty sure you can nest groups though.

Hope that helps