?
Solved

convert netscreen ns50 commands to cisco asa-5505 commands

Posted on 2011-09-20
16
Medium Priority
?
1,121 Views
Last Modified: 2012-06-27
How do I convert netscreen ns50 commands to cisco asa-5505 commands.
I have a Netscreen NS50 Version: 5.4.0r15.0 firewall/VPN,
and I want to convert it over to a Cisco ASA-5505 8.0 (4) 28.

Any help would be appreciated. Im tech enough to get in, do things, figure out commands, etc, but do not know enough, actually very little, about Cisco's terminology compared to Junipers.
Thanks very much in advance.
0
Comment
Question by:RjCoats
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 7
16 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36569172
Well, could you post the config? I think there experts enough here to be able to create a good converted config.
0
 
LVL 6

Expert Comment

by:RustyZ32
ID: 36569444
I don't know of any utility that could do that for you but as Erniebeek said, if you post the current config someone will probably convert it for you (if its simple enough, assuming it is since you are using an entry level device).


0
 

Author Comment

by:RjCoats
ID: 36569650
Ok, Great, thanks for the responses from both ot you.
I have a lot of IP's and user ID's etc I need to change from the public eye, I will attach a text file tomorrow morning when I get done with the changes.
I do appreciate it.
Rj
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:RjCoats
ID: 36569803
Thanks for the help anyone.
Rj
 NS50-Config-Experts-Exchange.txt
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36572711
I am playing around a bit with the conversion and have a question.

I see that you have two publics (123.456.789.5 and 6) mapped to one internal ip (10.0.0.2). Is there a specific reason for that?
0
 

Author Comment

by:RjCoats
ID: 36598925
sorry for a late response. I didnt catch this one.
We have diffent port routings for each. Our main one, ending in 4 is the public. The one ending in 5 is a VIP that only allows traffic to ports 10.0.0.2:4080, and 10.0.0.2:5080.
The one ending in 6 allows more ports to be accessed, but not the entire network.

Thanks, and again, sorry for taking so long, I didnt see this in my email.
Rj
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36709738
Ok,

Give me some time to play around with that. I think I'll be able to create a fairly complete 'translation'.
0
 

Author Comment

by:RjCoats
ID: 36709758
Thanks a ton erniebeek.
I'm pretty sure I was told I cant have a "VIP" on the Cisco ASA5505, but, even if I have to let them all use the same public IP, I'd like to route some incoming IP's to those certain ports.
4080 and 5080.

Thanks again.
Rj
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36709782
Multiple publics shouldn't be a problem, I just wasn't completely sure on how to read that part of the config ;)
0
 

Author Comment

by:RjCoats
ID: 36709819
Gotcha. :)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 36814210
Here is a little something to get you started:

domain-name mydomain.com
hostname local

name 10.0.0.2 AS400_AS2_CLIENT
name 10.0.0.0 Fred_Young
name 127.444.90.0 VENDOR1_IP-A
name 127.444.192.0 VENDOR1_IP-B
name 12.34.58.98 VENDOR3
name 161.168.228.14 VENDOR2_IP_10
name 161.168.228.13 VENDOR2_P2P_7

interface Vlan1
 nameif trust
 security-level 100
 ip address 10.0.0.3 255.255.255.0
!
interface Vlan2
 shutdown
 nameif dmz
 security-level 50
 no ip address
!
interface Vlan3
 nameif untrust
 security-level 0
 ip address 123.456.789.1

interface Ethernet0/0
 switchport access vlan 3

object-group service AS400_AS2
 service-object tcp 4080
object-group service VENDOR2_P2P_App
 service-object tcp 5080
object-group service Virus_Ports
 service-object udp 69
 service-object tcp 135
 service-object tcp 1080
 service-object tcp 4444
 service-object udp 8998
object-group service 8470_Port
 service-object tcp 8470
 service-object udp 8470
object-group service 446_Port
 service-object tcp 446
 service-object udp 446
object-group service 8471_Port
 service-object tcp 8471
 service-object udp 8471
object-group service 8472_Port
 service-object tcp 8472
 service-object udp 8472
object-group service 8473_Port
 service-object tcp 8473
 service-object udp 8473
object-group service 8474_Port
 service-object tcp 8474
 service-object udp 8474
object-group service 8475_Port
 service-object tcp 8475
 service-object udp 8475
object-group service 8476_Port
 service-object tcp 8476
 service-object udp 8476
object-group service Downloader_17850
 service-object tcp 17850
 service-object udp 17850
object-group service Downloader_17851
 service-object tcp 17851
 service-object udp 17851
object-group service Downloader_17852
 service-object tcp 17852
 service-object udp 17852
object-group service Downoader_17853
 service-object tcp 17853
 service-object udp 17853
object-group service Downloader_17854
 service-object tcp 17854
 service-object udp 17854
object-group service Downloader_17855
 service-object tcp 17855
 service-object udp 17855
object-group service Downloader_17856
 service-object tcp 17856
 service-object udp 17856
object-group service 80_PORT
 service-object tcp 80
 service-object udp 80
object-group service 137_UDP
 service-object udp 137
object-group service 135_UDP-TCP
 service-object tcp 135
 service-object udp 135
object-group service 139_TCP
 service-object tcp 139
object-group service 445_TCP
 service-object tcp 445
object-group service Web_Security
 service-object tcp 8080

access-list pnat1 permit ip host 10.0.0.2 any
access-list pnat2 permit ip host 10.0.0.2 any
access-list acl_outside permit object-group VENDOR2_P2P_App any host 123.456.789.5
access-list acl_outside permit object-group AS400_AS2 any host 123.456.789.5
access-list acl_outside permit tcp any host 123.456.789.5 eq telnet
access-list acl_outside permit object-group 139_TCP any host 123.456.789.5
access-list acl_outside permit tcp any host 123.456.789.6 eq telnet
access-list acl_outside permit object-group 8470_Port any host 123.456.789.6
access-list acl_outside permit object-group 8471_Port any host 123.456.789.6
access-list acl_outside permit object-group 8472_Port any host 123.456.789.6
access-list acl_outside permit object-group 8473_Port any host 123.456.789.6
access-list acl_outside permit object-group 8474_Port any host 123.456.789.6
access-list acl_outside permit object-group 8475_Port any host 123.456.789.6
access-list acl_outside permit object-group 8476_Port any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17850 any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17851 any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17852 any host 123.456.789.6
access-list acl_outside permit object-group 135_UDP-TCP any host 123.456.789.6
access-list acl_outside permit object-group 137_UDP any host 123.456.789.6
access-list acl_outside permit object-group 139_TCP any host 123.456.789.6
access-list acl_outside permit object-group 445_TCP any host 123.456.789.6
access-list acl_outside permit object-group 446_Port any host 123.456.789.6

ip local pool ippool 172.16.10.1-172.16.10.21 mask 255.255.255.0

static (trust,untrust) 123.456.789.5 access-list pnat1
static (trust,untrust) 123.456.789.6 access-list pnat2

logging enable
logging timestamp
logging buffered error
logging console error



global (untrust) 1 interface
nat (trust) 1 10.0.0.0 255.255.255.0


route untrust 0.0.0.0 0.0.0.0 123.456.789.2
route trust 192.168.0.0 255.255.255.0 10.0.0.4

username adminname password br549

ssh 10.0.0.9 255.255.255.255 trust
ssh timeout 30
ssh version 1

telnet 10.0.0.9 255.255.255.255 trust

http server enable
http 10.0.0.9 255.255.255.255 trust

snmp-server community mydomain.com.local

ntp server 69.222.103.98 source untrust prefer
clock timezone EST -6


No VPNs yet, but first let's see if this works for you.
0
 

Author Comment

by:RjCoats
ID: 36814739
Erniebeek, Thank you sir. I am going to try this. It may take me a few days to get it in and tested.
With our vendors, I have to "schedule" a test. and sometimes its not.

Im not sure If I need to "accept" yet. Will it let you post if I Accept solution? I havent had to many complicated questions such as this.
Thanks again. I do appreciate it.
Rj
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36814756
You can still post when the question is closed and points are awarded. But for now you can as well leave it open and try it first, I'll be here :)
0
 

Author Comment

by:RjCoats
ID: 36814952
Great Thanks.
Rj
0
 

Author Closing Comment

by:RjCoats
ID: 36949508
Erniebeek, thanks a bunch for the help.
I did not do this yet, as my boss brough in pro help (my request) for a one time shot. But It looks exactly like what I was looking for. We use AT&T, and their Network Based Firewall, and decided to allow the IP's for our EDI partners and Remote IP's access via that NWBF.
The ASA firewall will be solely VPN (traveling) users. We will have someone set it up, and I will maintain it from there.
Thanks for all of your time, It was not wasted, as I may want to use it in the future, if there is another vendor, or IP i'd rather control myself. You have really been a great help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36951461
You're very welcome and thanks for the points :)

I never consider my time over here as wasted, there are new things to learn every day. And in this particular case it was a good practice for me as well, regardless if you are going to use it right now or save it for a later time.

........

So in effect, I must be thanking you ;)

Mmmmm, they must set up a way to be able to award points to thank the author :))
0

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question