• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1133
  • Last Modified:

convert netscreen ns50 commands to cisco asa-5505 commands

How do I convert netscreen ns50 commands to cisco asa-5505 commands.
I have a Netscreen NS50 Version: 5.4.0r15.0 firewall/VPN,
and I want to convert it over to a Cisco ASA-5505 8.0 (4) 28.

Any help would be appreciated. Im tech enough to get in, do things, figure out commands, etc, but do not know enough, actually very little, about Cisco's terminology compared to Junipers.
Thanks very much in advance.
0
RjCoats
Asked:
RjCoats
  • 8
  • 7
1 Solution
 
Ernie BeekExpertCommented:
Well, could you post the config? I think there experts enough here to be able to create a good converted config.
0
 
RustyZ32Commented:
I don't know of any utility that could do that for you but as Erniebeek said, if you post the current config someone will probably convert it for you (if its simple enough, assuming it is since you are using an entry level device).


0
 
RjCoatsComputer Programmer/TechnicianAuthor Commented:
Ok, Great, thanks for the responses from both ot you.
I have a lot of IP's and user ID's etc I need to change from the public eye, I will attach a text file tomorrow morning when I get done with the changes.
I do appreciate it.
Rj
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
RjCoatsComputer Programmer/TechnicianAuthor Commented:
Thanks for the help anyone.
Rj
 NS50-Config-Experts-Exchange.txt
0
 
Ernie BeekExpertCommented:
I am playing around a bit with the conversion and have a question.

I see that you have two publics (123.456.789.5 and 6) mapped to one internal ip (10.0.0.2). Is there a specific reason for that?
0
 
RjCoatsComputer Programmer/TechnicianAuthor Commented:
sorry for a late response. I didnt catch this one.
We have diffent port routings for each. Our main one, ending in 4 is the public. The one ending in 5 is a VIP that only allows traffic to ports 10.0.0.2:4080, and 10.0.0.2:5080.
The one ending in 6 allows more ports to be accessed, but not the entire network.

Thanks, and again, sorry for taking so long, I didnt see this in my email.
Rj
0
 
Ernie BeekExpertCommented:
Ok,

Give me some time to play around with that. I think I'll be able to create a fairly complete 'translation'.
0
 
RjCoatsComputer Programmer/TechnicianAuthor Commented:
Thanks a ton erniebeek.
I'm pretty sure I was told I cant have a "VIP" on the Cisco ASA5505, but, even if I have to let them all use the same public IP, I'd like to route some incoming IP's to those certain ports.
4080 and 5080.

Thanks again.
Rj
0
 
Ernie BeekExpertCommented:
Multiple publics shouldn't be a problem, I just wasn't completely sure on how to read that part of the config ;)
0
 
RjCoatsComputer Programmer/TechnicianAuthor Commented:
Gotcha. :)
0
 
Ernie BeekExpertCommented:
Here is a little something to get you started:

domain-name mydomain.com
hostname local

name 10.0.0.2 AS400_AS2_CLIENT
name 10.0.0.0 Fred_Young
name 127.444.90.0 VENDOR1_IP-A
name 127.444.192.0 VENDOR1_IP-B
name 12.34.58.98 VENDOR3
name 161.168.228.14 VENDOR2_IP_10
name 161.168.228.13 VENDOR2_P2P_7

interface Vlan1
 nameif trust
 security-level 100
 ip address 10.0.0.3 255.255.255.0
!
interface Vlan2
 shutdown
 nameif dmz
 security-level 50
 no ip address
!
interface Vlan3
 nameif untrust
 security-level 0
 ip address 123.456.789.1

interface Ethernet0/0
 switchport access vlan 3

object-group service AS400_AS2
 service-object tcp 4080
object-group service VENDOR2_P2P_App
 service-object tcp 5080
object-group service Virus_Ports
 service-object udp 69
 service-object tcp 135
 service-object tcp 1080
 service-object tcp 4444
 service-object udp 8998
object-group service 8470_Port
 service-object tcp 8470
 service-object udp 8470
object-group service 446_Port
 service-object tcp 446
 service-object udp 446
object-group service 8471_Port
 service-object tcp 8471
 service-object udp 8471
object-group service 8472_Port
 service-object tcp 8472
 service-object udp 8472
object-group service 8473_Port
 service-object tcp 8473
 service-object udp 8473
object-group service 8474_Port
 service-object tcp 8474
 service-object udp 8474
object-group service 8475_Port
 service-object tcp 8475
 service-object udp 8475
object-group service 8476_Port
 service-object tcp 8476
 service-object udp 8476
object-group service Downloader_17850
 service-object tcp 17850
 service-object udp 17850
object-group service Downloader_17851
 service-object tcp 17851
 service-object udp 17851
object-group service Downloader_17852
 service-object tcp 17852
 service-object udp 17852
object-group service Downoader_17853
 service-object tcp 17853
 service-object udp 17853
object-group service Downloader_17854
 service-object tcp 17854
 service-object udp 17854
object-group service Downloader_17855
 service-object tcp 17855
 service-object udp 17855
object-group service Downloader_17856
 service-object tcp 17856
 service-object udp 17856
object-group service 80_PORT
 service-object tcp 80
 service-object udp 80
object-group service 137_UDP
 service-object udp 137
object-group service 135_UDP-TCP
 service-object tcp 135
 service-object udp 135
object-group service 139_TCP
 service-object tcp 139
object-group service 445_TCP
 service-object tcp 445
object-group service Web_Security
 service-object tcp 8080

access-list pnat1 permit ip host 10.0.0.2 any
access-list pnat2 permit ip host 10.0.0.2 any
access-list acl_outside permit object-group VENDOR2_P2P_App any host 123.456.789.5
access-list acl_outside permit object-group AS400_AS2 any host 123.456.789.5
access-list acl_outside permit tcp any host 123.456.789.5 eq telnet
access-list acl_outside permit object-group 139_TCP any host 123.456.789.5
access-list acl_outside permit tcp any host 123.456.789.6 eq telnet
access-list acl_outside permit object-group 8470_Port any host 123.456.789.6
access-list acl_outside permit object-group 8471_Port any host 123.456.789.6
access-list acl_outside permit object-group 8472_Port any host 123.456.789.6
access-list acl_outside permit object-group 8473_Port any host 123.456.789.6
access-list acl_outside permit object-group 8474_Port any host 123.456.789.6
access-list acl_outside permit object-group 8475_Port any host 123.456.789.6
access-list acl_outside permit object-group 8476_Port any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17850 any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17851 any host 123.456.789.6
access-list acl_outside permit object-group Downloader_17852 any host 123.456.789.6
access-list acl_outside permit object-group 135_UDP-TCP any host 123.456.789.6
access-list acl_outside permit object-group 137_UDP any host 123.456.789.6
access-list acl_outside permit object-group 139_TCP any host 123.456.789.6
access-list acl_outside permit object-group 445_TCP any host 123.456.789.6
access-list acl_outside permit object-group 446_Port any host 123.456.789.6

ip local pool ippool 172.16.10.1-172.16.10.21 mask 255.255.255.0

static (trust,untrust) 123.456.789.5 access-list pnat1
static (trust,untrust) 123.456.789.6 access-list pnat2

logging enable
logging timestamp
logging buffered error
logging console error



global (untrust) 1 interface
nat (trust) 1 10.0.0.0 255.255.255.0


route untrust 0.0.0.0 0.0.0.0 123.456.789.2
route trust 192.168.0.0 255.255.255.0 10.0.0.4

username adminname password br549

ssh 10.0.0.9 255.255.255.255 trust
ssh timeout 30
ssh version 1

telnet 10.0.0.9 255.255.255.255 trust

http server enable
http 10.0.0.9 255.255.255.255 trust

snmp-server community mydomain.com.local

ntp server 69.222.103.98 source untrust prefer
clock timezone EST -6


No VPNs yet, but first let's see if this works for you.
0
 
RjCoatsComputer Programmer/TechnicianAuthor Commented:
Erniebeek, Thank you sir. I am going to try this. It may take me a few days to get it in and tested.
With our vendors, I have to "schedule" a test. and sometimes its not.

Im not sure If I need to "accept" yet. Will it let you post if I Accept solution? I havent had to many complicated questions such as this.
Thanks again. I do appreciate it.
Rj
0
 
Ernie BeekExpertCommented:
You can still post when the question is closed and points are awarded. But for now you can as well leave it open and try it first, I'll be here :)
0
 
RjCoatsComputer Programmer/TechnicianAuthor Commented:
Great Thanks.
Rj
0
 
RjCoatsComputer Programmer/TechnicianAuthor Commented:
Erniebeek, thanks a bunch for the help.
I did not do this yet, as my boss brough in pro help (my request) for a one time shot. But It looks exactly like what I was looking for. We use AT&T, and their Network Based Firewall, and decided to allow the IP's for our EDI partners and Remote IP's access via that NWBF.
The ASA firewall will be solely VPN (traveling) users. We will have someone set it up, and I will maintain it from there.
Thanks for all of your time, It was not wasted, as I may want to use it in the future, if there is another vendor, or IP i'd rather control myself. You have really been a great help.
0
 
Ernie BeekExpertCommented:
You're very welcome and thanks for the points :)

I never consider my time over here as wasted, there are new things to learn every day. And in this particular case it was a good practice for me as well, regardless if you are going to use it right now or save it for a later time.

........

So in effect, I must be thanking you ;)

Mmmmm, they must set up a way to be able to award points to thank the author :))
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now