Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Netscreen to ASA - Quick Look

Hey guys, I have attached a brief config from a NetScreen. This needs to be adapted to a new Cisco ASA. Wondering if one of you experts can take a quick look & provide guidance on any config converter tools and/or know if this can be simply translated. Thanks in advance for all responses!

- Matt

1 REPLY

Re: Netscreen to ASA - Quick Look

Looks pretty straight forward. I don't know of any tools (maybe I should write one) that converts the config.

MIPS are equivalent to statics in an ASA.

Netscreen

set interface "ethernet4" mip xxx.x.23.52 host 192.68.123.27 netmask 255.255.255.255 vr "trust-vr"

Cisco ASA

static (inside,outside) xxx.x.23.52 192.68.123.27 netmask 255.255.255.255

The ACLs

Netscreen

set policy id 73 from "Untrust" to "Trust" "Any" "MIP(xxx.x.23.35)" "WebServer Service Grp" permit log count

Cisco ASA

access-list outside_in extended permit tcp any host xxx.x.23.35 object-group WebServer_ Service_Grp

Grouping ports & protocols

Netscreen

set group service "WebServer Service Grp"

set group service "WebServer Service Grp" add "HTTP"

set group service "WebServer Service Grp" add "HTTPS"

set group service "WebServer Service Grp" add "PING"

Cisco ASA

object-group service WebServer_Service_Grp tcp

port-object eq www

port-object eq https

Note that with object groups, you can only have TCP or UDP in a group. I'm pretty sure you can nest groups though.

Hope that helps

760
Views
0
Helpful
1
Replies