Thanks everyone - it looks like I'm on the same page. Perhaps I was looking for a conversion tool or perhaps a bit of magic that is just not there (which is OK) - I ended up using a combination of Excel and some find / replace to get the job done. All in all - it was not too bad to make the switch.
Thank you again for your input. _____________________________________ From: Kevin Cullimore [kcull...@runbox.com] Sent: Saturday, July 30, 2011 3:16 PM To: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Converting ASA-5540 to SRX-650 On 7/29/2011 2:37 AM, Ben Dale wrote: > Hi Jon, > > On 28/07/2011, at 1:15 PM, Paulhamus, Jon wrote: > >> Hello all - >> >> I am in the process of replacing an aging Cisco ASA-5540 with an SRX-650. >> The ASA has a large number of static NAT translations, as well as many >> outbound source NAT pools. Does anyone have any suggestions on creating >> templates for at least the statics that I need to recreate on this box? Since you're manipulating one text-based configuration to resemble a different vendor's style of text-based configuration, perl might be your best bet. If you have scripting allergies, in the past I've leveraged the high-degree of repetition associated with the command arguments and created excel templates wherein all you needed to do was plug in the relevant ip addresses. > I've been doing these for a couple of years and it is a pretty painful > process. > > Firstly, if you're using address object names on your ASA, you'll need > convert them back to IP addresses in the configurations - Junos doesn't > support Address names in NAT configuration. > > Secondly, the ASA config: > > static (dmz,out) 203.1.1.140 10.10.10.140 > > (which IMHO is completely ass-backwards) will end up looking like: no need to associate humility with that particular opinion. it IS ass-backwards. It makes about as much sense as referring to one of the subcomponents of your natting scheme as a "nat" or assuming that people will sound out the component letters of your product name ("P-I-X") instead of pronouncing it like the word it appears to be ("PIX"). > > set security nat static rule-set STATIC-OUT from zone out > set security nat static rule-set STATIC-OUT rule Rule1 match > destination-address 203.1.1.140/32 > set security nat static rule-set STATIC-OUT rule Rule1 then static-nat prefix > 172.16.16.140/32 > > on the SRX. The SRX also doesn't implicitly enable proxy ARP for the static > NAT address either, so you'll need something like: > > set security nat static proxy-arp interface ge-0/0/0.0 address 203.1.1.140/32 > > on your "out" zone interface. You'll then also need security policies > defined (as you would have ACLs in the ASA). > > Your bible will be SRX Series and J Series Network Address Translation: > http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf > > Good luck! > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp