For everybody interested, I emailed my support team and they told me that
there is a tool called (i2j) that basically will convert extended access (
I dont know if any other type of config) list into firewall filters. Is
not perfect but is a good begining.
This tool is not open for the public.
I used it today, and it works really good.
thanks to everybody that replied to my email
Thanks
German
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
* THE DILBERT FUTURE *
* Thriving on Stupidity in the 21st Century *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Internet capacity will increase indefinitely
to keep up with the egos of the people using it"
On Sat, 8 Dec 2001, Berislav Todorovic wrote:
> On Fri, 7 Dec 2001 nicolas.fevrier@free.fr wrote:
>
> >> I know Juniper guys have such a tool (called I-to-J or C-to-J, I'm not
> >> sure), but I'm pretty sure it's not something they won't give it, nor
> >> support it
>
> Configuration converters in general produce ugly and hard-to-read configs
> (like most of programming language converters and preprocessors). So,
> full conversion of IOS configuration is something I would never recommend
> as a good practice.
>
> The only place where automation makes sense are Cisco access lists. A
> script to convert access lists to firewall filters would be really neat
> to have. I managed to write it for standard Cisco acl's. Extended lists
> would require a bit more time (which I don't have), a bit more parsing
> (they have a lot of protocols, options etc.). Here's the script:
>
> #!/bin/sh
> # Convert standard acl's from IOS to JUNOS firewall policies:
> # Example:
> # access-list 1 permit 10.1.2.0 0.0.0.255
> # access-list 1 deny host 10.3.3.3
> # access-list 1 permit any
> #
>
> gawk 'BEGIN {
> term = oldterm = "";
> seq = 0;
> } { \
> if ($1!="access-list")
> next;
> if ($2 < 100) # Standard lists
> term=$3;
> else # Extended lists - not supported by this script
> next;
> if (term!=oldterm)
> seq+=5;
> if (term=="permit")
> action=" then accept";
> else
> action=" then reject";
> oldterm=term;
> term=term"-"seq
> if ($4=="any") {
> address="0.0.0.0";
> netmask="255.255.255.255";
> } else if ($4=="host") {
> address=$5;
> netmask="0.0.0.0";
> } else {
> address=$4;
> netmask=$5;
> }
> prefix = 32;
> split (netmask, byte, ".");
> for (i=1; i<=4; i++)
> prefix -= log(byte[i]+1)/log(2);
> print "set firewall filter list"$2" term "term" from address "address"/"prefix;
> print "set firewall filter list"$2" term "term action;
> }' $1
>
> Regards,
> Beri
>
> --------- Berislav Todorovic, Senior NOC Specialist --------
> ------- KPNQwest N.V. - IP NOC (formerly EUnet NOC) ------
> ---- Wilhelmina van Pruisenweg 78, 2595 AN Den Haag, NL ----
> --- Phone: +31-70-379-3990; Mobile: +31-651-333-641 ---
> -- Email: beri@kpnqwest.net <=> beri@EU.net --
> --- _ _ ____ _ .--. ____ ____ __/_ ---
> ----- /__/ /___/ /\ / / / | / /___/ /___ / ------
> ------ _/ \_ / _/ \/ (__.\ |/\/ /___ ____/ (__. -----
>
>
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:38 EDT