topic Re: Migrate from ASASM to FMC/FTD in Network Security

Migrate from ASASM to FMC/FTD

ben.levin1 — Wed, 23 Nov 2022 17:44:34 GMT

I am working on migrating from an ASASM to FMC/FTD. I know that the ASASM isn't fully supported by the firepower migration tool, but the policy and objects are pretty long so we are doing what we can with it and the TAC said that it would not migrate interfaces and static routes. However, I have tested the migration several times and the policy does come over but the post migration report show that not all of the objects and policy were migrated over (lines from the config were ignored). I did manually create the interfaces on the FTD before doing the migration.

I'll probably end up opening a new TAC case but I figured I'd ask here first. Has anyone done this kind of migration and is there a way to get all of the ACLs and objects successfully migrated over without having to do it all manually? At the moment I'm thinking we'll run the migration tool and then have to go through the post migration report to manually add all the configuration that was ignored. It's going to be very time consuming so I'm hoping to find some ways to speed things up. Thank you.

Re: Migrate from ASASM to FMC/FTD

balaji.bandi — Wed, 23 Nov 2022 17:54:59 GMT

Sometime Migration toolk no 100% does what you expected due to some odd config issue around to be honest.

since you have TAC case, they are the better SME for your case and they review your config, since we do not have your config visibility what worked and what failed here.

Re: Migrate from ASASM to FMC/FTD

ben.levin1 — Wed, 23 Nov 2022 17:58:35 GMT

Thank you for your response. We had a TAC case over the summer but it was closed since the project was delayed. I will open a new TAC case to see if they can help us.

Re: Migrate from ASASM to FMC/FTD

Milos_Jovanovic — Wed, 23 Nov 2022 19:03:24 GMT

Hi @ben.levin1,

If you have or can get standard ASA (like ASAv or any of the 5500-X models, with newer SW like 9.8+), you could try to manually copy over ASASM config to ASAv. While copying config, if you spot any issues, you can fix them right then and there. Once that is done, you can try again with FMT, and see what are the results.

Kind regards,

Milos

Re: Migrate from ASASM to FMC/FTD

Marvin Rhoads — Thu, 24 Nov 2022 04:24:23 GMT

What version is your ASASM running? If it's 8.4+ then the suggestion by @Milos_Jovanovic is how I'd suggest proceeding. That method should get you a clean migration using FMT.

Re: Migrate from ASASM to FMC/FTD

balaji.bandi — Thu, 24 Nov 2022 08:14:26 GMT

we have tried FWSM to ASAv and then FTD, the results are not as expected. i am sure you need to do manual task many many lines.

if the config is simple and I would take the opportunity to clean up many rules and not the required information (which we don't remove and rules not hit also gone increasing organically).

Re: Migrate from ASASM to FMC/FTD

Milos_Jovanovic — Thu, 24 Nov 2022 13:29:07 GMT

If I remember correctly, FWSM is using pre ASA v8.3 syntax, so it falls down to migration of pre 8.3 to post 8.3, which is complication of its own, and I fully agree - existing automated tools are not providing best results in such case.

What I was suggesting is same as @Marvin Rhoads explained better, with more details - if ASASM is post 8.3 syntax, then manual input of config, without too much config to ASAv (which is always post 8.3) can be used.

Kind regards,

Milos

Re: Migrate from ASASM to FMC/FTD

Marvin Rhoads — Thu, 24 Nov 2022 13:45:00 GMT

If I recall correctly ASASM (not FWSM) was an 8.6+ device.

Since the VLAN groups don't have any real analogue in ASA (or FTD) then doing as @Milos_Jovanovic suggests would be the best bet. That should get the ACLs and NAT rules transferred with associated objects. That comprises the bulk of the configuration by number of lines. Routing and interface configurations would need to be done manually.