Cisco has recently opened up a self-service tool to convert CheckPoint Firewall configurations to Cisco ASA configs.
It is open to all the users registered on the Cisco website.
Try it out and let us know your feedback
The same tool also supports the migration of Juniper Netscreen Firewall configurations to Cisco ASA
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for this post!
I've just tried to convert Checkpoint config to ASA. I'm receiving this error:
CheckPoint to Cisco ASA Config Conversion Tool - ver 1.0
Task Started at 2014-01-05 15:54:14 UTC on the Server
STEP [1/24] Reading the Config File
STEP [2/24] Checking and Fixing for the Objects with Exclusion
STEP [3/24] Defining Disclaimer
STEP [4/24] Finding Basic Information
STEP [5/24] Creating Interfaces
ERROR: The number of interfaces are less than 2, hence cannot continue further
Conversion Task had some issues at 2014-01-05 15:54:19 UTC on the Server
By the way based on networking.txt file there are 4 interfaces including loopback interface.
Can you please check this error?
Thanks for trying out the portal.
Based on my experience and the above log, I guess there must be some issue while reading the file relating to the routing table.
I suggest you the following:
1- Have you followed the data collection process correctly (point 3 and 4 in this case)? To put it simply, if the file is named as 'networking.txt', then it must have the output of the 'ifconfig -a' and 'netstat -rnv' commands. Whereas, if the file is named as 'routes.txt', then it must have the routes/interfaces as provided in the sample there.
2- Further you may get another error message in case if your config does not have any default route. In case if you don't have one, then you will need to define one dummy default route for the conversion purpose.
Hope this helps.
It worked. I followed your steps, renamed file networking to routes and added default route as you suggested.
Next days I will try to import config to ASA and I will let you know if it works. hope it will work...
If I upload a checkpoint config.zip with all the required file (naming is exactly as requested) the system respons with:
The Uploaded Config does not contain all the 8 files as mentioned in the Configuration Collection Procedure
The files included in the zip:
Do you have any Idea?
Found the problem. Hidden Files in OSX are inluded in the ZIP File (.DS_Store).
Hope it has been useful to you. We would like to hear from you.
Regarding the upload issue because of the hidden files in created by MAC, we have updated the upload page with a note so that the users can avoid this in the future. Thanks for highlighting this out.
I am looking to convert the config on my cisco 7206 box with VAM Module to ASA.
Currently cisco 7206 is used in a VPN HUB config role.
Please check the same.
To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.
Also, recent blog : Intelligent Traffic Director @ Cisco Live Milan
ITD Provides CAPEX and OPEX Savings for Customers
ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.
ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.
Out of curiosity, is there any way to get the tool to output interface-specific ACLs instead of global ACLs like the original conversion tool did?
im guessing it used the routing table to map them before but doesn't appear to do so with this version.
If not, is this an expected addition that will be implemented eventually?
I see the output convoptions file says "Use global ACL = yes" but there doesn't appear to be a way to set it to no.
Been trying to access to the link but got proxy error. Anyone facing the same issue?
Pls try now. The system was under maintenance. It is up now.
Beautiful. Thanks a lot
What is this "Archive format is not supported".
What should I do??
I tried the command mentioned in step 2 on WVT however it generated only one output file for security policies..
How do I get other files like communities, index , nat-policy netwok-object and services.
I ran this on a NetScreen configuration and it just keeps on failing with a 'We ran into an error, that is all we can say here'. Does this work well on Netscreen for anyone else.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: