https://community.cisco.com/t5/network-security/firepower-migration-tool-diagnostic-mgmt-interface-change-ip/m-p/3913627#M939284 <P>I am converting a existing ASA to FMC/FTD (6.4) and using the Firepower migration tool (v. 1.3.1-3051). &nbsp;During the "review and validation" I am wanting to change the mgmt IP (Diagnostic1/1) so that it doesn't overlap with the existing production ASA. &nbsp;I have all the other interfaces cabled through switches and have them shutdown on the switch side to prevent any duplicate IP situation etc. &nbsp;When I actually cutover to the FTD - I will simply no shut those interfaces on the switch. &nbsp;But I still need a way to manage the FTD remotely so I need the Diag1/1 interface IP to be different than my production ASA mgmt IP is. &nbsp;Is this possible? &nbsp;If not, how do I stand up the new FTD and preconfigure it (with the migration tool), remotely, without it creating a duplicate IP on the mgmt port? &nbsp;</P><P>&nbsp;</P><P>I even have a Raritin console switch on site so I could even leverage it. &nbsp;But I seem to have a "chicken/egg" issue because while I could basically shutdown the corresponding switch link for the mgmt to prevent a duplicate IP (and use the console for access) - I then could not use the Firepower migration tool to push config to it because I lack an interface on net.&nbsp;</P><P>&nbsp;</P><P>Is there a way to use the migration tool to ONLY push the config to the FMC and then later I can modify it and "deploy" it to the FTD?&nbsp;</P><P>&nbsp;</P><P>Any other thoughts? ? ?</P> Fri, 21 Feb 2020 17:25:45 GMT Joseph Gaefe 2020-02-21T17:25:45Z https://community.cisco.com/t5/network-security/firepower-migration-tool-diagnostic-mgmt-interface-change-ip/m-p/3913627#M939284 <P>I am converting a existing ASA to FMC/FTD (6.4) and using the Firepower migration tool (v. 1.3.1-3051). &nbsp;During the "review and validation" I am wanting to change the mgmt IP (Diagnostic1/1) so that it doesn't overlap with the existing production ASA. &nbsp;I have all the other interfaces cabled through switches and have them shutdown on the switch side to prevent any duplicate IP situation etc. &nbsp;When I actually cutover to the FTD - I will simply no shut those interfaces on the switch. &nbsp;But I still need a way to manage the FTD remotely so I need the Diag1/1 interface IP to be different than my production ASA mgmt IP is. &nbsp;Is this possible? &nbsp;If not, how do I stand up the new FTD and preconfigure it (with the migration tool), remotely, without it creating a duplicate IP on the mgmt port? &nbsp;</P><P>&nbsp;</P><P>I even have a Raritin console switch on site so I could even leverage it. &nbsp;But I seem to have a "chicken/egg" issue because while I could basically shutdown the corresponding switch link for the mgmt to prevent a duplicate IP (and use the console for access) - I then could not use the Firepower migration tool to push config to it because I lack an interface on net.&nbsp;</P><P>&nbsp;</P><P>Is there a way to use the migration tool to ONLY push the config to the FMC and then later I can modify it and "deploy" it to the FTD?&nbsp;</P><P>&nbsp;</P><P>Any other thoughts? ? ?</P> Fri, 21 Feb 2020 17:25:45 GMT https://community.cisco.com/t5/network-security/firepower-migration-tool-diagnostic-mgmt-interface-change-ip/m-p/3913627#M939284 Joseph Gaefe 2020-02-21T17:25:45Z https://community.cisco.com/t5/network-security/firepower-migration-tool-diagnostic-mgmt-interface-change-ip/m-p/3913661#M939285 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/149298">@Joseph Gaefe</a>&nbsp;wrote:<BR /> <P>&nbsp;</P> <P>Is there a way to use the migration tool to ONLY push the config to the FMC and then later I can modify it and "deploy" it to the FTD?&nbsp;</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>&nbsp;</P> <P>Yes. See this section of the migration tool guide:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/b_Migration_Guide_ASA2FTD_chapter_01011.html#id_67815" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/b_Migration_Guide_ASA2FTD_chapter_01011.html#id_67815</A></P> <P>There it describes the process of how we first push the migrated configuration to FMC and then, only "<SPAN>After you have completed your review, deploy the migrated configuration from&nbsp;</SPAN><SPAN class="ph">Firepower Management Center</SPAN><SPAN>&nbsp;to the&nbsp;</SPAN><SPAN class="ph">Firepower Threat Defense</SPAN><SPAN>&nbsp;device.</SPAN>" Part of your review is modifying any necessary parameters - that could include the FTD management address.</P> Sun, 25 Aug 2019 12:36:11 GMT https://community.cisco.com/t5/network-security/firepower-migration-tool-diagnostic-mgmt-interface-change-ip/m-p/3913661#M939285 Marvin Rhoads 2019-08-25T12:36:11Z https://community.cisco.com/t5/network-security/firepower-migration-tool-diagnostic-mgmt-interface-change-ip/m-p/3913683#M939286 <P>It is this screen that has me worried. This is from the migration tool and is immediately following "validation" which is just my chance to review everything before I "push" the config. It was my understanding that this step would just send it to the FMC - not actually to the sensor/fw. &nbsp;But the little warning/note seems to say otherwise. &nbsp;I just cant take ANY risk in the environment I am working in, so I am looking for some clarity. &nbsp;</P><P>&nbsp;</P><P><IMG src="blob:https://community.cisco.com/e6d55723-a3d4-43cf-bb21-894c90559dd9" border="0" /></P> Mon, 26 Aug 2019 01:36:14 GMT https://community.cisco.com/t5/network-security/firepower-migration-tool-diagnostic-mgmt-interface-change-ip/m-p/3913683#M939286 Joseph Gaefe 2019-08-26T01:36:14Z