Hi Jon, On 28/07/2011, at 1:15 PM, Paulhamus, Jon wrote:
> Hello all - > > I am in the process of replacing an aging Cisco ASA-5540 with an SRX-650. > The ASA has a large number of static NAT translations, as well as many > outbound source NAT pools. Does anyone have any suggestions on creating > templates for at least the statics that I need to recreate on this box? I've been doing these for a couple of years and it is a pretty painful process. Firstly, if you're using address object names on your ASA, you'll need convert them back to IP addresses in the configurations - Junos doesn't support Address names in NAT configuration. Secondly, the ASA config: static (dmz,out) 203.1.1.140 10.10.10.140 (which IMHO is completely ass-backwards) will end up looking like: set security nat static rule-set STATIC-OUT from zone out set security nat static rule-set STATIC-OUT rule Rule1 match destination-address 203.1.1.140/32 set security nat static rule-set STATIC-OUT rule Rule1 then static-nat prefix 172.16.16.140/32 on the SRX. The SRX also doesn't implicitly enable proxy ARP for the static NAT address either, so you'll need something like: set security nat static proxy-arp interface ge-0/0/0.0 address 203.1.1.140/32 on your "out" zone interface. You'll then also need security policies defined (as you would have ACLs in the ASA). Your bible will be SRX Series and J Series Network Address Translation: http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf Good luck! _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
