cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Conversion tool - CheckPoint FW to Cisco ASA

22677
Views
5
Helpful
25
Comments
Cisco Employee

Cisco has recently opened up a self-service tool to convert CheckPoint Firewall configurations to Cisco ASA configs.

https://fwmig.cisco.com/

It is open to all the users registered on the Cisco website.

Try it out and let us know your feedback

The same tool also supports the migration of Juniper Netscreen Firewall configurations to Cisco ASA

https://supportforums.cisco.com/community/netpro/security/firewall/blog/2013/09/27/conversion-tool-juniper-screenos-to-cisco-asa

Thanks

Anand

25 Comments
Beginner

Dear Anand,

Thanks for this post!

I've just tried to convert Checkpoint config to ASA. I'm receiving this error:

##################################################################

     CheckPoint to Cisco ASA Config Conversion Tool - ver 1.0

##################################################################

Task Started at 2014-01-05 15:54:14 UTC on the Server

STEP [1/24] Reading the Config File

STEP [2/24] Checking and Fixing for the Objects with Exclusion

STEP [3/24] Defining Disclaimer

STEP [4/24] Finding Basic Information

STEP [5/24] Creating Interfaces

ERROR: The number of interfaces are less than 2, hence cannot continue further

.

Conversion Task had some issues at 2014-01-05 15:54:19 UTC on the Server

By the way based on networking.txt file there are 4 interfaces including loopback interface.

Can you please check this error?

Thanks,

Enis

Cisco Employee

Hello Enis

Thanks for trying out the portal.

Based on my experience and the above log, I guess there must be some issue while reading the file relating to the routing table.

I suggest you the following:

1- Have you followed the data collection process correctly (point 3 and 4 in this case)? To put it simply, if the file is named as 'networking.txt', then it must have the output of the 'ifconfig -a' and 'netstat -rnv' commands. Whereas, if the file is named as 'routes.txt', then it must have the routes/interfaces as provided in the sample there.

2- Further you may get another error message in case if your config does not have any default route. In case if you don't have one, then you will need to define one dummy default route for the conversion purpose.

Hope this helps.

Regards

Anand

Beginner

Hi Anand,

It worked. I followed your steps, renamed file networking to routes and added default route as you suggested.

Next days I will try to import config to ASA and I will let you know if it works. hope it will work...

Thanks again,

Enis,

Hi Anand

If I upload a checkpoint config.zip with all the required file (naming is exactly as requested) the system respons with:

The Uploaded Config does not contain all the 8 files as mentioned in the Configuration Collection Procedure

The files included in the zip:

NAT_Policy.xml

Security_Policy.xml

communities.xml

index.xml

network_objects.xml

routes.txt

services.xml

users.xml

Do you have any Idea?

Hi Anand

Found the problem. Hidden Files in OSX are inluded in the ZIP File (.DS_Store).

Thx anyway

Cisco Employee

Hi Young

Hope it has been useful to you. We would like to hear from you.

Regarding the upload issue because of the hidden files in created by MAC, we have updated the upload page with a note so that the users can avoid this in the future. Thanks for highlighting this out.

Regards

Anand

Beginner

 

Hello All,

I am looking to convert the config on my cisco 7206 box with VAM Module to ASA.

Currently cisco 7206 is used in a  VPN HUB config role.

Please check the same.

Regards

 

To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.

Also, recent blog : Intelligent Traffic Director @ Cisco Live Milan

 

ITD Provides CAPEX and OPEX Savings for Customers

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.

ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

 

Beginner

Out of curiosity, is there any way to get the tool to output interface-specific ACLs instead of global ACLs like the original conversion tool did?

im guessing it used the routing table to map them before but doesn't appear to do so with this version. 

If not, is this an expected addition that will be implemented eventually?

I see the output convoptions file says "Use global ACL = yes" but there doesn't appear to be a way to set it to no. 

Hi,

Been trying to access to the link but got proxy error. Anyone facing the same issue?

 

Regards

Zul

Cisco Employee

Hi Zul

Pls try now. The system was under maintenance. It is up now.

Regards

Anand

Hi Anand,

 

Beautiful. Thanks a lot

 

Regards

Zul

Beginner

Hi ALL,

 

What is this "Archive format is not supported".

What should I do??

Beginner

Hi,

I tried the command mentioned in step 2 on WVT however it generated only one output file for security policies..

How do I get other files like communities, index , nat-policy netwok-object and services.

Beginner

I ran this on a NetScreen configuration and it just keeps on failing with a 'We ran into an error, that is all we can say here'.  Does this work well on Netscreen for anyone else.