sunilshepherd
Contributor
Contributor

Help !!!! Cisco firewall rules need to migration into the NSX DFW

Hello Guys,

Help !!!

I have two location each site have one Cisco ASA Firewall with 1800 Rules per firewall.  Now these two location are moving to one Data Center behind the Virtual environment.

Now what would the best process do it.  like get the active rules from firewall after clear up hit count from ACL.

After that I need to know what would be the best way to migrate those cisco asa firewall rules into the NXS DFW.?

Thanks in advance

Sunil kumar Baghel

0 Kudos
3 Replies
DaleCoghlan
VMware Employee
VMware Employee

For the actual conversion, use python and CiscoConfParse (GitHub - mpenning/ciscoconfparse: Parse, Audit, Query, Build, and Modify Cisco IOS-style configurati... ) to parse the relevant data from the ASA. Once parsed, you can then convert the parsed data into the relevant XML to be configured in NSX via the API.

A word of warning though. If you just blindly migrate the ASA rules, you MUST also set the relevant Applied To for each rule. This becomes somewhat difficult, as you will need to map the IPs used in the rules to match against the relevant VM objects which then can be used in the Applied To (directly or via Security Group membership) of the rule to scope the rule correctly. Failure to leverage the Applied To field will potentially mean that you could cause performance or memory issues due to an un-optimized ruleset.

Dale

0 Kudos
sunilshepherd
Contributor
Contributor

Thanks Dale,

I found RestAPI tool to migration rules in bulk..... we can add /modify / delete rules from NSX firewall.

0 Kudos
jzjdks
Contributor
Contributor

Would you share how to use hte RestAPI tool to covert ASA firewall rules to NST-T?

0 Kudos