What version are you using on the ASA?

   It's got asa 9.1

Do you know how transparent firewall works?

Yes but I'm pretty novice at networking since I take on a few things besides networking at my work, I set it up about 5yrs ago and kinda out of practice now, the difference with this and juniper, the juniper's trust and untrust int has different ip's, the untrust has our public ip and trust has internal and nat'd, where the asa has one ip for the inside and outside, but the same bump in the wire right.

What is the function that the juniper takes in your network?

  The Juniper ns25 is in transparent mode(interestingly I looked at the juniper's trust and untrust it shows it's a layer3 as where from what I read about the asa in transparent mode is a layer2)

  I found this article here that could be similar to my scenario and I need to read up on it, I think nat needs to be setup similar to the juniper over to the asa to map the outside public ip to internal ip of our gateway, there was a converter I found here but it wouldn't take my juniper config, worst comes to worst I'll open a tac ticket to see if they can convert the juniper to asa, I'm just avoiding having to redo my internal ip's -

https://supportforums.cisco.com/docs/DOC-31116

Actually read the next:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_overview.html#wp1107431

FYI: TAC does not have a tool to convert from Juniper firewall to Cisco ASA.

Thanks for the link and Tac info, I'm reading up on the transparent nat setup.

Hi, so I read the docs, now my question, on our old firewall the gateway we used was the one set on the nat'd trust int, and the public ip gateway of the router is untrust, so on the asa I just create a static nat for the public gateway nat'd to an internal ip that can be used as the gateway -

nat (inside,outside) static mygateway, then we could still use the old gateway we always had right?

Hello,

I am not sure about your last question but let's give it a try

Is the firewall going to run on transparent or Routed mode?

If it's on transparent then you will need to assign an IP address to the ASA for management purposes but the IP subnet between the inside users and the untrust gateway should be the same.

That being said if you want the ASA to run on L3 mode (splitting the broadcast-domain) then you just need to set a default route on the ASA poiting to the untrust gateway (Outside Modem) and on the inside PCs the ASA as the default gateway.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Hi Julio thanks for replying, the asa5510 is already set for transparent mode, with management int set, I had it set in a lab for testing, but its when I tested on the actual connection from isp, it wasn't allowing ping or web, so I may just need to add a route, I thought I read somewhere that transparent mode doesn't support routing, I'll give it a try, thanks

Sure,

It does need a route for special Purposes (Managment, Syslog, AAA, To know where to forward packets where it does not have a valid MAC address entry)

So add it pointing to the Outside gateway (Remember inside and outside interface must be on the same subnet.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio, yes the inside and outside are in a bvi group with internal ip and same subnet.

Julio I think your right on the route setting, it's been a while since I configured the juniper, I looked at the juniper route setting, the outside ip routes to our internal network.

"That being said if you want the ASA to run on L3 mode (splitting the broadcast-domain) then you just need to set a default route on the ASA poiting to the untrust gateway (Outside Modem) and on the inside PCs the ASA as the default gateway."

You mentioned that the asa will be our gateway, our current firewall is also our gateway(trust/management port is 208.x.x.1), but on the asa the only ip is the bvi 208.x.x.11, right now on the asa I'm using 208.x.x.1 as a object network host nat'd with the isp's router ip, should I use 208.x.x.11 as the gateway, maybe that's what I'm missing.

Hello,

If u read at my post carefully it says on L3 mode..... but you are running it on Transparent mode! so the ASA cannot be a l3 device or a DG. No way that can happen buddy!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Gotcha man, so it sounds like we can't put the asa in trasparent mode as a direct replacement, I would have to go route mode. And redo all our internal ip's