Solved

convert netscreen ns50 commands to cisco asa-5505 commands

Posted on 2011-09-20
16
1,075 Views
Last Modified: 2012-06-27
How do I convert netscreen ns50 commands to cisco asa-5505 commands.
I have a Netscreen NS50 Version: 5.4.0r15.0 firewall/VPN,
and I want to convert it over to a Cisco ASA-5505 8.0 (4) 28.

Any help would be appreciated. Im tech enough to get in, do things, figure out commands, etc, but do not know enough, actually very little, about Cisco's terminology compared to Junipers.
Thanks very much in advance.
0
Comment
Question by:RjCoats
  • 8
  • 7
16 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36569172
Well, could you post the config? I think there experts enough here to be able to create a good converted config.
0
 
LVL 6

Expert Comment

by:RustyZ32
ID: 36569444
I don't know of any utility that could do that for you but as Erniebeek said, if you post the current config someone will probably convert it for you (if its simple enough, assuming it is since you are using an entry level device).


0
 

Author Comment

by:RjCoats
ID: 36569650
Ok, Great, thanks for the responses from both ot you.
I have a lot of IP's and user ID's etc I need to change from the public eye, I will attach a text file tomorrow morning when I get done with the changes.
I do appreciate it.
Rj
0
 

Author Comment

by:RjCoats
ID: 36569803
Thanks for the help anyone.
Rj
 NS50-Config-Experts-Exchange.txt
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36572711
I am playing around a bit with the conversion and have a question.

I see that you have two publics (123.456.789.5 and 6) mapped to one internal ip (10.0.0.2). Is there a specific reason for that?
0
 

Author Comment

by:RjCoats
ID: 36598925
sorry for a late response. I didnt catch this one.
We have diffent port routings for each. Our main one, ending in 4 is the public. The one ending in 5 is a VIP that only allows traffic to ports 10.0.0.2:4080, and 10.0.0.2:5080.
The one ending in 6 allows more ports to be accessed, but not the entire network.

Thanks, and again, sorry for taking so long, I didnt see this in my email.
Rj
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36709738
Ok,

Give me some time to play around with that. I think I'll be able to create a fairly complete 'translation'.
0
 

Author Comment

by:RjCoats
ID: 36709758
Thanks a ton erniebeek.
I'm pretty sure I was told I cant have a "VIP" on the Cisco ASA5505, but, even if I have to let them all use the same public IP, I'd like to route some incoming IP's to those certain ports.
4080 and 5080.

Thanks again.
Rj
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36709782
Multiple publics shouldn't be a problem, I just wasn't completely sure on how to read that part of the config ;)
0
 

Author Comment

by:RjCoats
ID: 36709819
Gotcha. :)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 36814210
Here is a little something to get you started:

domain-name mydomain.com
hostname local

name 10.0.0.2 AS400_AS2_CLIENT
name 10.0.0.0 Fred_Young
name 127.444.90.0 VENDOR1_IP-A
name 127.444.192.0 VENDOR1_IP-B
name 12.34.58.98 VENDOR3
name 161.168.228.14 VENDOR2_IP_10
name 161.168.228.13 VENDOR2_P2P_7

interface Vlan1
 nameif trust
 security-level 100
 ip address 10.0.0.3 255.255.255.0
!
interface Vlan2
 shutdown
 nameif dmz
 security-level 50
 no ip address
!
interface Vlan3
 nameif untrust
 security-level 0
 ip address 123.456.789.1

interface Ethernet0/0
 switchport access vlan 3

object-group service AS400_AS2
 service-object tcp 4080
object-group service VENDOR2_P2P_App
 service-object tcp 5080
object-group service Virus_Ports
 service-object udp 69
 service-object tcp 135
 service-object tcp 1080
 service-object tcp 4444
 service-object udp 8998
object-group service 8470_Port
 service-object tcp 8470
 service-object udp 8470
object-group service 446_Port
 service-object tcp 446
 service-object udp 446
object-group service 8471_Port
 service-object tcp 8471
 service-object udp 8471
object-group service 8472_Port
 service-object tcp 8472
 service-object udp 8472
object-group service 8473_Port
 service-object tcp 8473
 service-object udp 8473
object-group service 8474_Port
 service-object tcp 8474
 service-object udp 8474
object-group service 8475_Port
 service-object tcp 8475
 service-object udp 8475
object-group service 8476_Port
 service-object tcp 8476
 service-object udp 8476
object-group service Downloader_17850
 service-object tcp 17850
 service-object udp 17850
object-group service Downloader_17851
 service-object tcp 17851
 service-object udp 17851
object-group service Downloader_17852
 service-object tcp 17852
 service-object udp 17852
object-group service Downoader_17853
 service-object tcp 17853
 service-object udp 17853
object-group service Downloader_17854
 service-object tcp 17854
 service-object udp 17854
object-group service Downloader_17855
 service-object tcp 17855
 service-object udp 17855
object-group service Downloader_17856
 service-object tcp 17856
 service-object udp 17856
object-group service 80_PORT
 service-object tcp 80
 service-object udp 80
object-group service 137_UDP
 service-object udp 137
object-group service 135_UDP-TCP
 service-object tcp 135
 service-object udp 135
object-group service 139_TCP
 service-object tcp 139
object-group service 445_TCP
 service-object tcp 445
object-group service Web_Security
 service-object tcp 8080

access-list pnat1 permit ip host 10.0.0.2 any
access-list pnat2 permit ip host 10.0.0.2 any
access-list acl_outside permit object-group VENDOR2_P2P_App any host 123.456.789.5
access-list acl_outside permit object-group AS400_AS2 any host 123.456.789.5
access-list acl_outside permit tcp any host 123.456.789.5 eq telnet
access-list acl_outside permit object-group 139_TCP any host 123.456.789.5
access-list acl_outside permit tcp any host 123.456.789.6 eq telnet
access-list acl_outside permit object-group 8470_Port any host 123.456.789.6
access-list acl_outside permit object-group 8471_Port any host 123.456.789.6
access-list acl_outside permit object-group 8472_Port any host 123.456.789.6
access-list acl_outside permit object-group 8473_Port any host 123.456.789.6
access-list acl_outside permit object-group 8474_Port any host 123.456.789.6
access-list acl_outside permit object-group 8475_Port any host 123.456.789.6
access-list acl_outside permit object-group 8476_Port any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17850 any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17851 any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17852 any host 123.456.789.6
access-list acl_outside permit object-group 135_UDP-TCP any host 123.456.789.6
access-list acl_outside permit object-group 137_UDP any host 123.456.789.6
access-list acl_outside permit object-group 139_TCP any host 123.456.789.6
access-list acl_outside permit object-group 445_TCP any host 123.456.789.6
access-list acl_outside permit object-group 446_Port any host 123.456.789.6

ip local pool ippool 172.16.10.1-172.16.10.21 mask 255.255.255.0

static (trust,untrust) 123.456.789.5 access-list pnat1
static (trust,untrust) 123.456.789.6 access-list pnat2

logging enable
logging timestamp
logging buffered error
logging console error



global (untrust) 1 interface
nat (trust) 1 10.0.0.0 255.255.255.0


route untrust 0.0.0.0 0.0.0.0 123.456.789.2
route trust 192.168.0.0 255.255.255.0 10.0.0.4

username adminname password br549

ssh 10.0.0.9 255.255.255.255 trust
ssh timeout 30
ssh version 1

telnet 10.0.0.9 255.255.255.255 trust

http server enable
http 10.0.0.9 255.255.255.255 trust

snmp-server community mydomain.com.local

ntp server 69.222.103.98 source untrust prefer
clock timezone EST -6


No VPNs yet, but first let's see if this works for you.
0
 

Author Comment

by:RjCoats
ID: 36814739
Erniebeek, Thank you sir. I am going to try this. It may take me a few days to get it in and tested.
With our vendors, I have to "schedule" a test. and sometimes its not.

Im not sure If I need to "accept" yet. Will it let you post if I Accept solution? I havent had to many complicated questions such as this.
Thanks again. I do appreciate it.
Rj
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36814756
You can still post when the question is closed and points are awarded. But for now you can as well leave it open and try it first, I'll be here :)
0
 

Author Comment

by:RjCoats
ID: 36814952
Great Thanks.
Rj
0
 

Author Closing Comment

by:RjCoats
ID: 36949508
Erniebeek, thanks a bunch for the help.
I did not do this yet, as my boss brough in pro help (my request) for a one time shot. But It looks exactly like what I was looking for. We use AT&T, and their Network Based Firewall, and decided to allow the IP's for our EDI partners and Remote IP's access via that NWBF.
The ASA firewall will be solely VPN (traveling) users. We will have someone set it up, and I will maintain it from there.
Thanks for all of your time, It was not wasted, as I may want to use it in the future, if there is another vendor, or IP i'd rather control myself. You have really been a great help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36951461
You're very welcome and thanks for the points :)

I never consider my time over here as wasted, there are new things to learn every day. And in this particular case it was a good practice for me as well, regardless if you are going to use it right now or save it for a later time.

........

So in effect, I must be thanking you ;)

Mmmmm, they must set up a way to be able to award points to thank the author :))
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 2702e Antenna Extension for better coverage 3 59
cisco switch stacking 6 35
cisco 2911 8 24
Cisco Any Connect Client 5 16
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now