Switch to a juniper firewall

Hi,
We have a 3750 as core switch with critical oracle servers ( production & development ) connected to this. The goal is to have these servers behind a firewall, which is to be done by logically routing the traffic towards the device.
Now, we need to connect the 3750 with two juniper srx firewall physically. The oracle server VLAN will be removed from 3750 and same layer 3 vlan will be created in the juniper firewall. How do i connect the 3750 to the two junipers.
what configurations will be involved, on a logical basis. I understand this is a cisco forum, but any logical ideas will be helpful.
Thanks.

Bleh Juniper lol, any ways I'm assuming you already have the firewalls connected to the 3750.  So in that case why remove the Orcale Server VLAN from 3750 and add it to Juniper? 
Leave it on the core, add an interface on the Juniper firewall for that VLAN.  Connect that interface to the same VLAN on the 3750 and make the firewall interface IP default gateway on your Oracle servers.
Note:  I would first test this scenario out like you can pick a completely separate IP scheme and setup a VLAN on 3750 and then setup the interface on the firewall, connect it to the switch and have a test server or computer connect to the same VLAN on the switch with the firewall interface as a gateway.

Similar Messages

  • Dataguard Configuration under Juniper Firewall

    Dear Friends ,
    We are using Oracle database 11g with Oracle Ent Linux 5.8. We are using active dataguard in this system . Recently we are deployed firewall both on PRIMARY and STANDBY end . we are using juniper firewall device . After deployment of Juniper Firewall on STANDBY end , we observe that Dataguard replication is not performed , i mean log of the PRIMARY server does not transmitted to the STANDBY end .
    Does is there any recommendation using firewall device with DATAGUARD ?
    How can I resolve this Dataguard replication problem under the Firewall  ?

    The firewall simply placed on  top of  STANDBY database  . nothing is configured in firewall . I mean all ports are open and no rules are applied yet .
    Before firewall , redo transmitted successfully but after placing the firewall , it is not working .
    It means you agree the firewall is blocking the transmission and it also means that ports are blocked.
    On top of what have been said -
    Check the connectivity to Standby from Primary as SYSDBA ?
    Check the Primary database & Standby database alert log ?
    Pradeep

  • Unable to open only particular website from office which is site to site VPN site with juniper firewall

    All,
    when I tried to open a website I am getting request timed out after few minutes ,I have done a wireshark capture but unable to identify the problem particularly the url /timetracking/home.asp is not working ,can you help out here. please find attached capture from source to destination and vice versa.
    Thanks in advance.

    Yes, I tried that.  It did not work for me.
    I have 4 site collections.  The main site collection is the only one that I receive the error.  
    When the user clicks on the email link  and opens the document for approval, they receive the following error when they click on "Open This Task". 
    Element '{http://www.w3.org/1999/xhtml}a is unexpected according to content model of
    parent element '{http://schemas.microsoft.com/office/infopath/2009/WSSList/dataFields}Body'.
    There is nothing wrong with the task list itself, just the link from the Office 2010 client. 
    I am wondering if there is a web config or other file on the server that is specific to the site collection??
    Tracey

  • LAN and Wireless Not communicate

    Dear support,
    I do have a Cisco router and Juniper firewall, which allow me to connect to internet.
    Internally after the firewall, i connect it to switches and wireless AP.
    Both switch and wireless AP must be able to talk to each other, when user pc connect to LAN via switch or wifi via wireless AP
    My switch is Cisco 2960, and AP is AP1142N.
    I do have application, IPhone which install an app, call media remote, this features enable me to remote control to my music device
    IPhone connect using wifi
    Music device connect using switch
    Cisco router ------ Juniper firewall ------ Catalyst 2960 ----------- AP1142N . . . . IPhone
                                                                           |
                                                                           |
                                                                           |
                                                                     Music device
    If in above scenario, my Iphone not able to detect music device
    Cisco router ------ Juniper firewall ------ Catalyst 2960 ---------Hub ----------- AP1142N . . . . IPhone
                                                                                                         |
                                                                                                         |
                                                                                                         |
                                                                                                   Music device
    I don't understand why if i using any brand hub, example 3com, belkin, buffalo, etc, which use only as hub, just connect to my cisco switch, and both music device and AP1142N, are able to talk (iphone able to search my music device)
    If i replace the hub, as cisco switch, and use it as default setting, it not able to detect
    The connection to hub, i am using access port, as we only have one vlan.
    My configuration as below for my switch and wireless ap
    I wonder why only normal hub able this two device to communicate, but cisco not.
    Thanks

    Thank a lot.
    i already enable the igmp on switch
    when i show igmp snooping at switch
    Vlan4:
    IGMP snooping                         : Enabled
    IGMPv2 immediate leave          : Disabled
    Multicast router learning mode: pim-dvmrp
    CGMP interoperability mode    : IGMP-ONLY
    Robustness variable              :2
    Last member query about      :2
    Last member query internal   : 1000
    Both vlan 1 and vlan 4 is the same
    I already try enable igmp on firewall side as well, juniperSSG140
    but still not work, anyone can help?

  • Firewall reverse routing issue:

    Dear Friends,
    I am using ASA 5505 with base license and ISP connected directly on the firewall.While L# switch is connected through firewall also.
    my configuration is :
    ASA Version 7.2(4)
    hostname CiscoFirewall03316
    domain-name default.domain.invalid
    enable password Ko5SCsPM2YQ1wt2G encrypted
    passwd Ko5SCsPM2YQ1wt2G encrypted
    names
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.192.32.11 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address 112.23.24.25 255.255.255.248
    interface Vlan10
    no nameif
    security-level 90
    ip address 192.168.0.3 255.255.240.0
    <--- More --->
    interface Vlan50
    no nameif
    security-level 80
    ip address 10.195.32.15 255.255.255.0
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    switchport access vlan 10
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 50
    interface Ethernet0/6
    interface Ethernet0/7
    <--- More --->
    ftp mode passive
    clock timezone IST 5 30
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server 121.242.190.181
    name-server 121.242.190.210
    domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list in_out extended permit ip any any
    access-list out_in extended permit ip any any
    access-list out_in extended permit ip any 112.23.24.25 255.255.255.248
    access-list cisco_splitTunnelAcl standard permit 0.0.0.0 255.255.255.0
    access-list cisco_splitTunnelAcl_1 standard permit any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool ciscouser 10.10.10.240-10.10.10.249 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    icmp permit any outside
    <--- More --->
    asdm image disk0:/asdm-523.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group in_out in interface inside
    access-group out_in in interface outside
    route inside 192.168.0.0 255.255.240.0 192.168.0.2 1
    route outside 0.0.0.0 0.0.0.0 112.23.24.25 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    http server enable
    http 10.192.32.0 255.255.255.0 inside
    http 112.23.24.0 255.255.255.248 outside
    http 0.0.0.0 0.0.0.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    <--- More --->
    crypto dynamic-map outside_dyn_map 20 set pfs
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 40 set pfs
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 60 set pfs
    crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 80 set pfs
    crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_DES_SHA
    crypto dynamic-map outside_dyn_map 100 set pfs
    crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
    crypto dynamic-map outside_dyn_map 120 set pfs
    crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    client-update enable
    no vpn-addr-assign aaa
    no vpn-addr-assign dhcp
    <--- More --->
    telnet 10.192.32.0 255.255.255.0 inside
    telnet 0.0.0.0 0.0.0.0 outside
    telnet 112.23.24.0 255.255.255.0 outside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server none
    vpn-tunnel-protocol l2tp-ipsec
    group-policy cisco internal
    group-policy cisco attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value cisco_splitTunnelAcl_1
    username test password tFqxsrS5ErBk4STW encrypted privilege 0
    username test attributes
    vpn-group-policy cisco
    username admin password V5OS2TRb/vQZ7oZ9 encrypted
    username ciscouser password 6aU35/UOvPoumpKWCFYSig== nt-encrypted privilege 0
    username ciscouser attributes
    vpn-group-policy DefaultRAGroup
    <--- More --->
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup general-attributes
    address-pool ciscouser
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    authentication ms-chap-v2
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
    <--- More --->
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    policy-map type inspect im Google
    parameters
    match protocol msn-im yahoo-im
      drop-connection log
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:a883391680fa205ee31f05881761958c
    : end
    Everything is running fine on vlan 1 but vlan 10 is not running from user end.there is no ping from inside of 192.168.0.2
    Please advise me.Thanks

    There are 2 conflicting configuration:
    interface Vlan10
    no nameif
    security-level 90
    ip address 192.168.0.3 255.255.240.0
    and "route inside 192.168.0.0 255.255.240.0 192.168.0.2 1"
    How do you want to connect VLAN 10? is it on its own interface on the firewall? if it is, then you would need to configure a name for it, via the nameif command, and remove the above route inside
    if it is going to be a routed subnet via the inside interface, then the above route needs to be modified as follows:
    route inside 192.168.0.0 255.255.240.0 10.192.32.x
    --> 10.192.32.x needs to be the next hop which is your L3 switch vlan 1 interface ip
    and you would also need to shutdown interface vlan 10 on the ASA and remove the IP Address.

  • Branch office setup with L3 switch and router with IOS security

    Hello,
    I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
    I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
    Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
    I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
    If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
    Any input would be appreciated.
    Thanks,
    Austin

    Thanks for the input.
    1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
    2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3. 
    3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
    Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid.  

  • Edge Inspect works great except localhost pages being blocked by firewall

    Hi,
    I switch the Windows 7 firewall off and the localhost pages show up on the Edge Inspect app on the iphone4, so then I tried to re-configure the firewall, namely allow Edge Inspect, Bonjour, and Mobile Device related rules all allowed, but the localhost pages are still being blocked.
    Any help with how to re-configure the Windows firewall for much more Edge Inspecting would be appreciated!
    Kind Regards,
    Andy

    Hi saumishr,
    I have placed the following rules both inbound and outbound to allow both Edge Inspect and Bonjour to use 7682 for all domains using the TCP protocol. (Is that the correct protocol?)
    After applying these rules though the firewall still blocks Edge Inspect.
    I appreaciate your help. Thankyou

  • Question on best practice for NAT/PAT and client access to firewall IP

    Imagine that I have this scenario:
    Client(IP=192.168.1.1/24)--[CiscoL2 switch]--Router--CiscoL2Switch----F5 Firewall IP=10.10.10.1/24 (only one NIC, there is not outbound and inbound NIC configuration on this F5 firewall)
    One of my users is complaining about the following:
    When clients receive traffic from the F5 firewall (apparently the firewall is doing PAT not NAT, the client see IP address 10.10.10.1.
    Do you see this is a problem? Should I make another IP address range available and do NAT properly so that clients will not see the firewall IP address? I don't see this situation is a problem but please let me know if I am wrong.

    Hi,
    Static PAT is the same as static NAT, except it lets you specify the protocol (TCP or UDP) and port for the local and global addresses.
    This feature lets you identify the same global address across many different static statements, so long as the port is different for each statement (you CANNOT use the same global address for multiple static NAT statements).
    For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but these are all actually different servers on the local network, you can specify static PAT statements for each server that uses the same global IP address, but different ports
    And for PAT you cannot use the same pair of local and global address in multiple static statements between the same two interfaces.
    Regards
    Bjornarsb

  • Oracle Standby setup for firewall

    Hi,
    Recently one of my client separated their primary and standby databases with Juniper firewall. After the activity, some primary database servers were unable to ship the archives whereas some of the primary databases were shipping the archives but the archives at standby site getting corrupted.
    telnet from both the sides are happening properly.
    telnet <ip_address> <listener_port>-----------------------> works fine
    My question is:
    Is there any recommended setting for Juniper Network firewall, which can be used for Oracle databases?
    What are ports which needs to opened for a standby to work? (Apart from opening ports, Is there any other setting which can hinder physical-standby setup)
    Regards,

    Hello;
    Make sure SQL ALG is enabled.
    "set alg sql ena" to enable it.
    Connect Oracle Behind a Firewall
    http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/oracle-behind-firewall/td-p/23096
    Might also be of interest
    http://forums.juniper.net/t5/SRX-Services-Gateway/sqlnet-protocol-and-Oracle-10-problems/td-p/34684
    Best Regards
    mseberg
    Edited by: mseberg on May 7, 2012 12:17 PM

  • WLC 4402, LAP1242AG APs and Layer 2 Switch Network Design

    Hi Every One,
    I am new designer in the Wireless technology. During design i came accros through a confusing/complex existing topology which i have to integrate with WLC 4402 as below;
    Existing:
    1: I have 12 Switches; all vtp mode server. all in single vlan 1 with single subnet 192.168.0.0/24. All users ports in this single vlan 1.
    2: All of these are old switches including 2950G, 350GXL, 4912.
    3: All the switches gateway is Pix Firewall (192.168.0.1).
    To Do:
    1: I have to implement 1 * WLC 4402, 22 *LAP1242AG Access Points.
    2: WLC will be connected to 350GXL or 4912 through Fiber.
    3: Access Points will be connected to all other 20 switches randomely.
    Confusion:
    1: In my design i created separate vlan 450 for WLC and APs management. But this is not doable in this current setup because all the switches are vtp mode server. Also the gateway is Firewall. Which will require configuration on all existing switches + Pix.(I DONT WANT TO GO FOR THIS OPTION).
    2: To make my work easy, is this possible to Put the WLC, APs in the same vlan 1 (192.168.0.0/24) that is currently used by the existing switches? The gateway for these WLC and APs will be Pix (192.168.0.1).
    3: I tried to search Cisco examples, but in every example Cisco has made a separate vlan for WLC, APs management. So will Point 2 worK?
    4: Do i require any specific changes for this?
    5: ANY OTHER DESIGN SUGGESTION?????????
    Please find the attached Diagram for more information.

    Thanks for the reply.
    1: U mean dat the switch port config will be as below;
    int g0/10
    description connected to WLAN Controller
    switch mode access
    switch access vlan 1
    int g0/23
    description connected to AP
    switchport mode access
    switchport access vlan 1
    so below wil b the sumary of config:
    All switches, WLC, APs, Wireless users and Wired users will be in the same subnet (192.168.0.0/24). Is it ok??
    2: Wat do u mean by vtp config; Please clarify???
    As i mentioned all switches are in vtp mode server. vtp domain name is configred on 12 out of 15 switch. Do i need to config same vtp domain name on all switches? I also have to check vtp pass??

  • Batch Monitor and the Mac OS X Firewall

    This is more or less what people have been saying for a few years now, "When I use Compressor the Mac OS X firewall repeatedly asks permission to allow incoming connections for the Batch Monitor! Why?!?!"
    No matter how many times you click to approve or deny, the firewall alert reappears every five to twenty seconds. There seem to be many, many people with this problem. So far, the only solutions are to:
    1) Shut off the Mac OS firewall
    2) Switch the Mac OS firewall to "Allow only essential services" every time I want to use Compressor (a cumbersome solution at best)
    2) Keep clicking the buttons
    3) Don't use Compressor
    While some might argue that Compressor is a poor substitute for a real video conversion utility, for the vast majority of users, it's the only game in town.
    So, dear Apple, I humbly beg you on behalf of the literally thousands of users who deal with this problem, please either create a solution or suggest one.
    I'm still on Final Cut 6 and Compressor 3. So, if anyone knows that the latest release solves this issue, I'd love to hear it.

    I'm dealing with this same problem and have actually noted that you are confirmed about the YEARS because I found this problem posted December 6, 2007
    http://discussions.apple.com/message.jspa?messageID=6563672
    It's unfortunate that a 'Bad Taste' was left after that reply from the guy who called you a 'nitwit' - I didn't even pay attention to his name - at least you have one demiankz - and took the time to start this post. I humbly thank you.
    At any rate, I was determined to find out - because I have always been struggling to 'Allow' it and last night I decided to 'block' it.
    Does anyone know what is the right setting?
    Also - one work around that has been working for me is this:
    1) when the popup comes up (leave it up) - Open the firewall, unlock the settings padlock at the bottom left (if it is locked) -
    2) find batch monitor and whatever the setting is - force a toggle i.e. if it is "allow" select "block" and visa versa - back to whatever you desire it to be. Just to force it to recognize you are changing it.
    3) NOW answer the popup to match whatever you toggled to in the firewall.
    4) lock the padlock again.
    I've compressed a lot of jobs and I notice once I perform this it goes away for my entire job, provided I leave it alone until it finishes.
    If you do something like browse the internet or work on other things, the message tends to pop up again.
    Of course, after your job finishes, you will have to do this again - and that's why I wish people would keep responding to this post until we get an answer.
    Persistence causes results. Negativity just causes - well, just ignore that.
    At least attempt to be helpful, which I felt I have tried. It may work, it may not, or it may cause someone to recognize what the real problem is.
    Good luck and hope we get an answer soon!
    Message was edited by: Jonefer
    Message was edited by: Jonefer

  • IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501

    I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.

    Dear Mr.
    The same problem has occured with me.

  • DMZ and FIREWALL

    Hello,
    While trying to figure out why some of the ports that I had set to forward were not forwarding I did two things:-
    1) Placed the PC that I was having " bother " with in the " DMZ " Zone
    2) Switched off ( disabled ) the firewall in my HH2.
    Running two different " port scan " programs from the Internet showed that there was no response ( timeout ) from my IPAddress, which incidentally, changed each time I went from " DMZ " to not " DMZ ".
    Does this mean that the DMZ and FIREWALL on my HH do absolutely nothing ?? so it doesn't matter what setting you have.
    or does it mean that the Port Scan programs are giving a false sense of security ??
    I'd be interested to hear from anyone who has some experience of this..

    I have a question in regarding to the location of the (oracle) application server in front of or behind the firewall:
    The router to be used has a firewall function built in. Now if I place the (oracle) application server behind this firewall, can the public users still access this (web) app server (even through this firewall)? If so, what parameters should I generally configure?
    In DMZ you should put web server ( apache+webcache) and behind firewall a middle tier with the other components of iAS (depend what you want)

  • Conversion from Juniper Configuration to Cisco Config

    Hi,
    I have a Juniper firewall config of 32,000 lines. I want to convert this into Cisco ASA v.8.3. Is there any pearl script available which can do that for me?
    regards,
    Mohsin

    The first question is if you are migrating a ScreenOS config or a JunOS config.  If you are migrating a ScreenOS config, the process is rather simple and can be done with the use of notepad/word to do search and replaces for key words and excel for re-ordering columns (ScreenOS puts the permit after the services, we put it before the services, etc).  I have helped with a few migrations myself using this process and have found it much more reliable than even Juniper's ScreenOS to JunOS tool. (Perhaps because it is a firewall-firewall migration, as opposed to a firewall-router migration.)  Your account team can provide you with documentation to support this process.
    Now, if you are migrating a JunOS config to an ASA config, there are also tricks that allow you to do it.  However, it is not as straight forward as the JunOS config looks very different.  This process is most efficiently done using the output of some show commands rather than the config itself.  In this case, I would strongly recommend you contact your account team for more details.
    In either case, welcome to Cisco's firewalls.  I am sure you will feel like one who has emerged from black and white movies to technicolor!!
    Maria

  • Firewall/Security Vendor Suggestion

    Hey,
    Please bare with me before we start the main content...
    First, I would need your suggestion. Especially if you got hand-on experience with the following vendor products.
    Second, If you could help list Pros and Cons for the suggested vendor/product, that will be great.
    Third, prefer to not to make this to be a hugh feature comparison plus no personal attack plz (u know what would happen if someone saying others are better than Cisco here )
    So here is what I need suggestion for: we are solely a Cisco shop when selling firewalls to customer, mainly SMB customers. Now we would like to expand our product offering portofolio on the network security side. So we wont stuck with one product(we had a really bad experience end last year of a particular Cisco product). After some digging, I narrow down to followings:
    Checkpoint
    fortinet
    watchguard
    There is a big ISP re-selling juniper firewall here in town. So might not be a good idea to join fight with them...
    So what is your suggestion? Maybe there are also other vendors/products I missed? Please keep in mind, our target market is mainly SMB.
    Also from certification perspective, the value of the cert from vendor? I had CCSP (now called CCNP Security) but expired in 2010 ...
    Thanks,
    /S

    IMO UTM is strictly a marketing term. In the real world I have yet to see a device that can do everything. A router is not always more money. For example an ASA5505 with unlimited users is more money than an 891 Security router. A 50 user license with Anyconnect is within a couple of hundred dollars of an 891. If you buy a 10 user count license, then the ASA has a lower cost. The nice thing about routers is that they have such a rich feature set. Features like DMVPN, QoS, AVC, Multicast, GRE, PBR, etc that ASA's can't do. The features in IOS should be an easy sell to the customer.

Maybe you are looking for