topic Re: FTD interface reconfiguration in Network Security

FTD interface reconfiguration

Sergey Sakharov — Tue, 05 Jan 2021 00:13:53 GMT

Hi team!

I have ASA5515-x and FTD2100. I'm willing to migrate from ASA to FTD so i used Firepower Migration Tool. ASA has one physical interface for each zone, but on FTD i want to create etherchannel for each zone for redundancy. Is it possible to move configuration from physical interface to port-channel somehow?

Re: FTD interface reconfiguration

balaji.bandi — Tue, 05 Jan 2021 12:24:32 GMT

Then you can not use 100% migration tool, you can do offline that changes and required testing also before you make live.

Re: FTD interface reconfiguration

Sergey Sakharov — Tue, 05 Jan 2021 23:04:35 GMT

I've deleted device from FMC and added it again without any configuration. After that manually created Port-Channels and subinterfaces on them. Firepower Migration Tool can see and map ASA interfaces on Port-Channels but not on subinterfaces.

Why? What's the limitation for subinterfaces? In documentation https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CP/CP2FTD-with-FP-Migration-Tool/CP2FTD-with-FP-Migration-Tool_chapter_010.html there is nothing about it, just - "Subinterfaces are not created by the Firepower Migration Tool. Only interface mapping is allowed between physical interfaces, port channel, or subinterfaces"

Also tried to change ASA configuration manually in notepad - move interface configuration to subinterface like that

interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.1
 vlan 1
 nameif outside
 security-level 0
 ip address 1.1.1.1 255.255.255.248 standby 1.1.1.2

But FMT doesn't see subinterfaces in that file as well

Re: FTD interface reconfiguration

balaji.bandi — Wed, 06 Jan 2021 05:34:32 GMT

I may be not done, the Migration tool does not give the ability to make complete topology change. this tool simple ACL rule conversation based on exiting to new.

if this is not a big rule base I do it manually and now you got a chance to get rid of old rules which redundant moving forward with the new setuo.

Re: FTD interface reconfiguration

Marvin Rhoads — Wed, 06 Jan 2021 07:11:17 GMT

That's a current limitation of both the FMT as well as the online migration tool in CDO. I had to go through similar pain in a recent migration. I have since brought it up with the Cisco product team as an unwelcome shortcoming as it can result in a fair amount of unnecessary extra work to change things later. Hopefully future release will incorporate the ability to map to subinterfaces (with or without Etherchannels).

Re: FTD interface reconfiguration

Sergey Sakharov — Wed, 06 Jan 2021 20:56:21 GMT

Found the solution - created on both devices (for ASA did it in notepad) Port-Channels with the same numbers, move in notepad ASA config from physical interfaces to Port-Channel subinterfaces and pushed it to Firepower Migration Tool - migration tool created by itself same subinterfaces for FTD

Re: FTD interface reconfiguration

Marvin Rhoads — Thu, 07 Jan 2021 07:19:49 GMT

Yes that will work as an interim workaround if it is one portchannel subinterface to another portchannel subinterface. In my case I was trying to map multiple source ASA physical interfaces a a single portchannel on FTD with subinterfaces corresponding to the multiple physical interfaces. Maybe I could have gotten it to work if I had more extensively hand-modified the source ASA config to fool the tool into thinking they all started out as subinterfaces on a single interface

Re: FTD interface reconfiguration

balaji.bandi — Thu, 07 Jan 2021 10:34:40 GMT

Good you cracked, since software not know what you done, so you change the config bluff the tool so it can migrate as it is..

good stufff