Import Cisco ACL(2000+ rows) from Cisco ACE to F5

Hi Kaloyan,

 

Looks like an older post which the community has not picked up on but will do my best to help as I have a bit of experience with Cisco ACE to F5 (did mostly nothing but Cisco to F5 migrations for almost 2 years).

 

A few question just for clarity:

 

1. What are the ACL's used for, access to VIP's, to restrict traffic being forwarded by the ACE or something else like management restrictions?
2. How are to looking to implement these ACL's on the target F5 devices, AFM policies or iRules or something else?
3. The ACE's and target F5 planned to be used for routing traffic, using IP forwarding Virtual Servers?

Once have this hopefully can help you out some more.

 

AMG

 

Hi AMG,

 

thanks for the reply. I was almost desperate because I did not find anything last 3 months. So:

 

1. ACL's are in Exchange context and will be used for printer access(restrict traffic).
2. I had not used APM or AFM modules till now. I suppose they are going to be APM ACLs but please give advice based on your experience.

3. On this context of ACE I am not sure what are the virtual servers. Could you please take a look and give an advice. I suppose these bellow could be Standard or maybe Performance L4? :

    

   class-map match-all EXCHANGE_HTTPS

    

   5 match virtual-address 10.0.168.32 tcp eq https

    

   class-map match-all HUB_CLI

    

   5 match virtual-address 10.0.168.34 tcp eq smtp class-map match-all HUB_RELAY

    

   5 match virtual-address 10.0.168.35 tcp eq smtp

    

   class-map match-all HUB_WWW

    

   5 match virtual-address 10.0.168.33 tcp eq smtp

    

   class-map match-any IMAP

    

   5 match virtual-address 10.0.168.32 tcp eq 143

    

   10 match virtual-address 10.0.168.32 tcp eq 993

    

So my understanding is these are ACL's to restrict access to VIPs on the ACE, so load-balancing Virtual Servers on the F5's.

 

From this expect AFM (Advanced Firewall Manager) is likely to be your best option on the target F5 devices, as long are/can be licensed and provisioned. Although not seeing the full solution difficult to make a convulsive recommendation.

 

Based on these assumptions you can migrate your ACL's into AFM Network Security Policies however this is not that simple as the approach is different in the F5 AFM than Cisco ACL.

 

I did start on a Python script for this a few years ago for a project but not sure how useful it would be for you. Will see if I can dig it out and share with you.

 

as said AMG I think that the best option for you is to USE AFM. you will have available a dedicated management console for managing your ACLs. This module is done for that. Additionnal you can set your ACL/rule at multiple level according to your convenience (VLAN, VS, General, ...). i will say that the benefits are simple to operate (creation/ modification / better view of your rules, Specific and dedicated logs ...).

 

you can also do it by irule or via policy. it will do the job... it will just be careful how you use it. try to group your rules / ACL on several datagroup or irule or policy to facilitate the management and the exploitation of this one. Set up logging (HSL) for the Tracking part. Basically do some thinking before deployment to simplify the operation of your implementation.

 

Regards,

 

Hello Guys,

 

I appreciate your answers very much!

 

I found something for AFM here :

 

https://devcentral.f5.com/s/feed/0D51T00006j31onSAA

 

But for me it seems little bit tough because I have to define every single object(host or network) and every single port. This seems TONS of writing and big changes of mistakes unfortunately.

 

Also just a quick example:

 

apm acl PERMIt-LB { entries { { action allow dst-end-port https dst-start-port https dst-subnet 10.0.168.32/32 protocol 6 src-subnet 0.0.0.0/0 } } }

 

This way through APM seems much easier when I have to edit port/host/subnet etc. Of course again big chance of errors while writing 2000 ACL entries.

 

Hello,

 

Just be carefull with apm. APM Policy manage access management (L7) for web access / AS / VPN ... trough session cookie. I do not think it's a good idea to use it to do L4 filtering...

 

In fact APM allow us to use ACL but only for object that you create for your APM Policy (ressources: RDP App tunnel, L4 Acl acces for Full VPN, ...)

 

Regards

 

Second Youssef's comment, don't think APM is the way to go, AFM is a firewall module so the perfect place to migrate ACL's to.

 

The big issue you have other than the different format is that if a policy association as where the policy applied, VLAN or Virtual Server or Global, will effect the way you migrate.

 

Thank you guys! This is great. I will look further for AFM.

 

Ohh but with current license I saw I cannot provision AFM. This is not good. However

 

Thank you again guys I will try to find some solution for this!!

 

Your help is highly appreciated!

 

Without AFM you can migrate ACL's to iRules or Network Packet Filters.

 

However, both are is going to be a lot of rules, very complex and extremely difficult to manage post migration.

 

If you can get an AFM license will be easier in the long run or look to migrate some or all the ACL's to the F5 connected switches or a network firewall somewhere.

 

Hi K,

 

You can asked an AFM add-on to F5 for 1 month to test this functionnality on your environnment. Or Buy an lab license just 100$ that contains all modules...

 

Regards,