[j-nsp] Cisco ASA to Junos Convertor

Kevin Cullimore kcullimo at runbox.com
Mon Jun 20 11:16:54 EDT 2011


On 6/20/2011 9:32 AM, Jason Lavoie wrote:

Full Disclosure: I occasionally do this (cross-platform/manufacturer 
firewall migrations) for a living.
> On 06/20, Altaf Ahmad wrote:
>> I tried I2J tool but it does not translate the ASA commands to JUNOS. I
>> am having very big configuration ASA files which consist around 1000 +
>> Access list entries (ACEs) by using object-group and its really very
>> hard to  manually translate huge number of lines in JUNOS.  Is there any
>> suggestion to for this issue?
> We are considering a migration to SRX, and have donen a proof-of-concept
> conversion in the lab.  It is relatively straightforward to write some
> perl to convert access lists from Cisco to Juniper if your object-groups
> are consistently structured.  The biggest drawback we found is that
> Juniper does not support nested address-sets like Cisco does its
> object-groups -- we ended up solving that with a commit script on the
> Junos side.
>
Most of the tedious stuff can indeed be automated within the confines of 
a sufficiently robust scripting environment. The solutions i've 
encountered most frequently are perl-based. I've performed a fair amount 
of minor/side tasks via bash shell scripts. A former coworker of mine 
once wrote a checkpoint-to-screenos migration utility in VBA(excel).
> Juniper has also offered professional services to assist in migrating
> the configuration between platforms.  We haven't gotten to that point in
> the engagement, so I can't comment on that process.
The amount of work required varies from 
customer/environment/configuration to customer/environment/configuration.
> -j
>



More information about the juniper-nsp mailing list