[j-nsp] Converting ASA-5540 to SRX-650

Kevin Cullimore kcullimo at runbox.com
Fri Aug 5 14:09:26 EDT 2011


On 7/31/2011 4:42 PM, Paulhamus, Jon wrote:
> Thanks everyone - it looks like I'm on the same page.  Perhaps I was looking for a conversion tool or perhaps a bit of magic that is just not there (which is OK)  -
No built-in magic. You could have adapted one of the conversion tools 
available for other firewall platform switches, but automating the 
process generally turns out to be a harder problem than most firewall 
administrators/implementers/architects believe it to be.
>   I ended up using a combination of Excel and some find / replace to get the job done.  All in all - it was not too bad to make the switch.
>
> Thank you again for your input.
>
> _____________________________________
> From: Kevin Cullimore [kcullimo at runbox.com]
> Sent: Saturday, July 30, 2011 3:16 PM
> To: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] Converting ASA-5540 to SRX-650
>
> On 7/29/2011 2:37 AM, Ben Dale wrote:
>> Hi Jon,
>>
>> On 28/07/2011, at 1:15 PM, Paulhamus, Jon wrote:
>>
>>> Hello all -
>>>
>>> I am in the process of replacing an aging Cisco ASA-5540 with an SRX-650.  The ASA has a large number of static NAT translations, as well as many outbound source NAT pools.  Does anyone have any suggestions on creating templates for at least the statics that I need to recreate on this box?
> Since you're manipulating one text-based configuration to resemble a
> different vendor's style of text-based configuration, perl might be your
> best bet.
>
> If you have scripting allergies, in the past I've leveraged the
> high-degree of repetition associated with the command arguments and
> created excel templates wherein all you needed to do was plug in the
> relevant ip addresses.
>
>> I've been doing these for a couple of years and it is a pretty painful process.
>>
>> Firstly, if you're using address object names on your ASA, you'll need convert them back to IP addresses in the configurations - Junos doesn't support Address names in NAT configuration.
>>
>> Secondly, the ASA config:
>>
>> static (dmz,out) 203.1.1.140 10.10.10.140
>>
>> (which IMHO is completely ass-backwards) will end up looking like:
> no need to associate humility with that particular opinion. it IS
> ass-backwards. It makes about as much sense as referring to one of the
> subcomponents of your natting scheme as a "nat" or assuming that people
> will sound out the component letters of your product name ("P-I-X")
> instead of pronouncing it like the word it appears to be ("PIX").
>
>> set security nat static rule-set STATIC-OUT from zone out
>> set security nat static rule-set STATIC-OUT rule Rule1 match destination-address 203.1.1.140/32
>> set security nat static rule-set STATIC-OUT rule Rule1 then static-nat prefix 172.16.16.140/32
>>
>> on the SRX.  The SRX also doesn't implicitly enable proxy ARP for the static NAT address either, so you'll need something like:
>>
>> set security nat static proxy-arp interface ge-0/0/0.0 address 203.1.1.140/32
>>
>> on your "out" zone interface.  You'll then also need security policies defined (as you would have ACLs in the ASA).
>>
>> Your bible will be SRX Series and J Series Network Address Translation:
>> http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf
>>
>> Good luck!
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list