SRX

Hi,

I wolud like to reproduce Juniper SSG-520M config on Juniper SRX3600.
I really need your help to do this.

I can send you the SSG-520M config file.


Regards

Mahaman Sani

Hi,

Maybe you could give this a try:
ScreenOS to Junos configuration Translation Tool (S2J)

Cheers,

Ashvin

Hi,
Thank you for your reply.
I'll try and make you a feedback.

Regards

Mahaman Sani

As Ashvin mentions, there is a basic converstion tool on the support site.  This is a good place to start as it will pick up a lot of the common configuration translations.

The tool will then identify the configuration sections that are not recognized.  If you don't understand how to manually translate these portions, then we can discuss them one at a time.

I've done a lot of simple conversions using this method.

If you have a large config in a mission critical area then you may want to contact a Juniper partner for professional services on this type of conversion.  They can be more aware of your exact toplogy and issues than we will here in a public space.

Hi Steve,

I tried but I get some errors.
Find attached output file.

Please, I really need your help.

Regards

Mahaman Sani

Attachment(s)

SSG-520M-s2jOutput(1).txt   275 KB 1 version

Hi,

You may need to adapt the interfaces as the logical interfaces on the Screenos have not been converted.

You will have to convert NSRP cluster to an SRX cluster config.

Some of the errors reported may need to be ignored. For instance:

1129:set log session-init
Line not recognized by S2J

which is successfully converted into:

                then {
                    permit;
                    log {
                        session-init;
                    }
                }

Cheers,

Ashvin

Some notes on the annotations for your conversion.

The messages before line 89 can all be ignored.

These I am not sure what the tunnel option is for zones to a virtual router.  This will need to be researched.  I’ve not used this feature.

91:set zone "Untrust-Tun" vrouter "trust-vr"

Tunnel Zone is not supported in JUNOS

92:set zone id 100 "Paie" tunnel CH_Admin-sz

Line not yet supported by S2J

The Transparent mode messages can be ignored as you are clearly in layer 3 mode.

ethernet0/0

ethernet0/1

ethernet0/2

These configurations will need to be converted to units on the interface selected on your SRX with the VLAN tag added and family inet with the ip address from further down in the configuration.

IN the Security zone section you will need to add these interface sub units to the matching zone from the list

You can ignore vlan1 message in line 201 as this is part of transparent mode that you are not using.

You can ignore all the notes about ip manageable.  The equivalent Junos is controlled by your zone host inbound services settings.

unset interface ethernet0/2.23 ip manageable

Messages in lines 245-253 can also be ignored.

NSRP: lines 254-266

Your ScreenOS is a cluster.  The config here will be a single device not a cluster.  You could get this running as a single device the run through the basic steps to join the two into a cluster.  This will require making choices about redundancy on interfaces.

Alternatively you can design the cluster interfaces first and make the previous interface changes all the RETH interfaces to load into a basic cluster.  In that case start by following the cluster kb to create the cluster then start merging in the rest of the config.

Address errors

281:set address "CH_Access-sz" "CCN Diameter VIP" 192.168.16.42 255.255.255.252

Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask.

this is saying you need to have the objects at the correct subnet boundaries in this case 192.168.16.40/30  instead of using 42

this also indicates boundary errors

Route interface cannot be null. Please define the interface.

address groups:

This is just the above addresses did not convert so the groups also failed and you manually create them

Member Definition for "LUVA VIP1" is missing or the member is not being converted.

You can ignore the messages in lines 652 to 665

This custom service does seem to be missing from the config and multiple rules depend on it.

680:set service "GTP"

Application Definition for "GTP" is missing  or application not being converted.

The destination address "oss" is not defined in the CH_OM-sz zone

This is probably one of the addresses above that did not create so you will need to make the rule in addition to the address

you can ignore line 1922 as it only applies to NSM

This is controlled under system services if you need telnet

1926:set telnet client enable

Line not recognized by S2J

You will setup SNMP in Junos at hierarchy:

set snmp community

1930:set snmp port listen 161

There is no equivalent in JUNOS

You can ignore 1935

Routing 1980 and follows

Next Table Looping found. This route wont be converted.

These you will need to examine how the routes and the next table for the virtual routers work in Junos.  Likely you can insert these into the desired routing-instance  but will need to do this manually.  This message mainly comes with the shared virtual router that exists in ScreenOS but not Junos.

line 2079 and similar  are again indicating the need to use the base ip address of the subnet for these route entries.

10.177.32.1/24

not 10.177.32.51/24

2079:set route 10.177.32.51/24 interface ethernet0/1 gateway 192.168.16.253

Invalid IP Address. Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask.