Netscreen to ASA - Quick Look

matthew.scala — Mon, 11 Mar 2019 12:52:08 GMT

Hey guys, I have attached a brief config from a NetScreen. This needs to be adapted to a new Cisco ASA. Wondering if one of you experts can take a quick look & provide guidance on any config converter tools and/or know if this can be simply translated. Thanks in advance for all responses!

- Matt

Re: Netscreen to ASA - Quick Look

Collin Clark — Fri, 30 May 2008 12:45:12 GMT

Looks pretty straight forward. I don't know of any tools (maybe I should write one) that converts the config.

MIPS are equivalent to statics in an ASA.

Netscreen

set interface "ethernet4" mip xxx.x.23.52 host 192.68.123.27 netmask 255.255.255.255 vr "trust-vr"

Cisco ASA

static (inside,outside) xxx.x.23.52 192.68.123.27 netmask 255.255.255.255

The ACLs

Netscreen

set policy id 73 from "Untrust" to "Trust" "Any" "MIP(xxx.x.23.35)" "WebServer Service Grp" permit log count

Cisco ASA

access-list outside_in extended permit tcp any host xxx.x.23.35 object-group WebServer_ Service_Grp

Grouping ports & protocols

Netscreen

set group service "WebServer Service Grp"

set group service "WebServer Service Grp" add "HTTP"

set group service "WebServer Service Grp" add "HTTPS"

set group service "WebServer Service Grp" add "PING"

Cisco ASA

object-group service WebServer_Service_Grp tcp

port-object eq www

port-object eq https

Note that with object groups, you can only have TCP or UDP in a group. I'm pretty sure you can nest groups though.

Hope that helps

topic Netscreen to ASA - Quick Look in Network Security

Netscreen to ASA - Quick Look

Re: Netscreen to ASA - Quick Look