SRX

Attached is a PIX/ASA to SRX/Junos converter.

It's written in Perl and has a few instructions
included. I hope someone finds it useful.

...David

Attachment(s)

px2sx.zip   9 KB 1 version

Minor version update - bug fixed in a core routine when newer versions of NetAddr::IP were used.

Seems to work with older versions still, though.

...David

Attachment(s)

px2sx251.zip   9 KB 1 version

David -

WoW! - What an awesome tool. I was doing some testing it ran an old pix 6.x config file and within seconds it converted all the objects and rules. I'm so physced to work more with this tool.

I do need some help though. I ran a different PIX (version 8.03) config file and it errors out quickly with the below error. Any ideas?

admin@ubuntu:~/hms$ perl px2sx.pl hmspix

Starting conversion to Junos...

Zones & Routes...
Can't call method "network" on an undefined value at px2sx.pl line 83.

Line 83 on the PIX config is simply a named object. Are there version limitations with the tool?

This sounds awesome but I am having a hell of a time getting it to work on WIndows 😕

I have no knowledge of using Perl, but I grabbed a copy of ActivePerl community edition 5.14 and tried it out, it errored asking for NetAddr IP module. This is where I get lost 😞 Is there any simple instructions on doing this?

As with most of my experiences with code and unix installs you fix one tihng only to find another dependancy. I somehow managed to get IP.pm but now more issues:

C:\temp\perl px2sx.pl asa.txt
Can't locate auto/NetAddr/IP/Util/autosplit.ix in @INC (@INC contains: C:/Perl64
/site/lib C:/Perl64/lib .) at C:/Perl64/lib/AutoLoader.pm line 173.
 at C:/Perl64/lib/NetAddr/IP/Util.pm line 9
Can't locate NetAddr/IP/UtilPP.pm in @INC (@INC contains: C:/Perl64/site/lib C:/
Perl64/lib .) at C:/Perl64/lib/NetAddr/IP/Util.pm line 105.
Compilation failed in require at C:/Perl64/lib/NetAddr/IP/Lite.pm line 9.
BEGIN failed--compilation aborted at C:/Perl64/lib/NetAddr/IP/Lite.pm line 28.
Compilation failed in require at C:/Perl64/lib/NetAddr/IP.pm line 7.
BEGIN failed--compilation aborted at C:/Perl64/lib/NetAddr/IP.pm line 7.
Compilation failed in require at px2sx.pl line 16.
BEGIN failed--compilation aborted at px2sx.pl line 16.

It's not hard - run up the Perl Package Manager (comes with ActivePerl) and mark the NetAddr-IP package for install.

You might have to change the view to 'All Packages' first, and it does take a while to start up so patience is needed.

5.14 should be OK - it uses the 'given - when' syntax so anything from 5.10 onwards should be OK.

...David

Yes - currently it doesn't handle version 8 NATs. But I've sorted out most of the other bugs, so it's probably time to upload a newer version.

...David

David, 

can you help with converting ASA config to SRX ? it is kind of last minute urgent thing, can i send you a copy of the ASA configuration ? 

This is most excellent and saved me a lot of manual work. Thank you!

Newer version. Some support for v8 config files now.

Various bugs fixed & features added.

...David

Attachment(s)

px2sx258.zip   11 KB 1 version

hello my name is David Shariel mexico city, I need help converting a file from a Cisco Asa a Juniper SRX240.
They could help

Thanks David that new version worked perfectly!

I figured out my issue earlier with perl also - I was trying to get it to install on a machine that did not have direct Internet access. You'd never figure how hard it is to install modules for perl without Internet access 😞 In the end I just grabbed a laptop and used my celluar mobile access and installed it that way - easy as can be 🙂

Very nice script!!! When I run it I get the address books, zones, destination/static NAT, and routes, but an error on 506:

Can't call method "within" on an undefined value at px2sx.pl line 506.

Thanks,

Nick

I receive a similar but slightly different error...

Can't locate object method "within" via package "some object group in my pix config" (perhaps you forgot to load "some object group in my pix config"?) at px2sx.pl line 506.

Any help would be apreciated.

Ben

Line 506 is in a core function which works out which zone a given object is in.

It's called not only directly from the main loops, but also from within another function.

I'd need to see the (sanitised) config file that it fails on in order to sort it out.

From what you describe it could be an object, network-object or access-list line.

It's not been extensively tested on version 8 configs - I don't have a lot of examples.

...David

Hi David, I have a config that generates some minor errros to do with those DM_INLINE style group objects if you're interested in tweaking that.

Thinking about this... it implies that the zones file hasn't been built properly.

In which case all I'd need to see would the the zones.txt output file,

and maybe the static routes & interfaces sections from the config file.

...David

Dear David,

I need to convert my cisco asa configuration to junos, but i am unable to use the conversion tool.

I downloaded your tool and it's in winrar & when i extracted it i am unable to use px2sx file.

Suggest me as i am new to this

Steps would be great.

Thanks in advance 🙂

The tool is a PERL script. To use it you need to have it on a machine that has perl installed on it.

Here is a small howto to get perl installed under Windows.

http://learn.perl.org/installing/windows.html

you also need some perl "plugins" which you can install by using cpan (part of perl)

cpan Getopt::Std

cpan Scalar::Util

cpan NetAddr::IP

After this you can run "perl px2sx.pl"  in the path you have axctracted the px2sx.pl tool

Can you please input the first addin needed in all text?  It showed up with an emoticon in the name:

cpan Getopt:td

thank Larry

For those getting the error on line 506, firstly, insert this after line 266 (the "foreach" line):

	print("Line: $line");

When it fails, you can tell what line it fails on.  Here's the problem...

In the newer configs, the network objects defined under the object-group are "network-object object OBJECTNAME".  The script is looking for "network-object host OBJECTNAME", even if the object is a network.

Objects defined as ranges don't work.  And nested groups don't work.

Also, in the access-lists, "object" must be changed to "host", and lines that begin with a service "object smtp" need to be reformated to something like "permit tcp host whatever host whatever eq 25" so the port is at the end.  They can only begin with a service if it's an object-group.

I manually fixed a config, and it took some time.  But, with the addition of the print statement above, I was able to tell where it failed.

If anyone manages to fix the script, please post an updated version.  The email in the script for the original author doesn't seem to work.

Hi guys,

any news about this topic?

Does the perl script have fixed? I need to converto from PIX525 release 7.2 to srx650.

Many thanks

Antonio

Not sure if you've updated this tool recently but I'm using it to convert a FWSM config and it is helpful.

Thank you!!!

Hello 

Does it exist an update version at this time?????????

Thx a lot save my lots of time .....  🙂

---

@DavidH wrote:

Attached is a PIX/ASA to SRX/Junos converter.

It's written in Perl and has a few instructions
included. I hope someone finds it useful.

...David

 

---