Cannot import FTD config file to FMC

ak085b — Fri, 21 Feb 2020 16:27:09 GMT

Hello all,

I hope you are all having a nice day.

I am facing the below issue:

I have FTD for Vmware:
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.2.3 (Build 83)

When I added the device into FMC everything was wiped out, except for the Management IP.

FMC Version:

Cisco Firepower Management Center for VMWare v6.2.3 (build 83)

I had saved the config file before, and when I tried to import it into FMC I got the following error:

You must convert this ASA configuration to a Firepower Threat Defense configuration before importing it.

I installed a second FMC (with same version as previous one) to use as Migration Tool and when I tried to import it there I got the error:

invalid asa configuration file! please pass a valid file

As per the following documentation, the migration tool should only be used for ASA versions 9.1 to 9.7. This is not an ASA version.

Cisco ASA to Firepower Threat Defense Migration Guide

On Internet I see only cases for ASA config to FMC, nothing from FTD config to FMC.

The config I'm trying to import into FMC is the following:

: Saved
: 
: Serial Number: *********
: Hardware:   ASAv, 8192 MB RAM, CPU Lynnfield 3503 MHz, 1 CPU (4 cores)
!
NGFW Version 6.2.3
!
hostname firepower
enable password $sha512$5000$ZrAIfX2KcH8PB5YgWkB70g==$R+kK8Ui1dBFPzcD5eUtl+g== pbkdf2
strong-encryption-disable
names

!
interface GigabitEthernet0/0
 nameif outside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address dhcp setroute
 ipv6 address autoconfig
 ipv6 enable
!
interface GigabitEthernet0/1
 nameif inside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address 192.168.45.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif diagnostic
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 no ip address
!
ftp mode passive
ngips conn-match vlan-id
object network any-ipv4
 subnet 0.0.0.0 0.0.0.0
object network any-ipv6
 subnet ::/0
object network AIM_SERVERS-64.12.31.136
 host 64.12.31.136
object network AIM_SERVERS-64.12.46.140
 host 64.12.46.140
object network AIM_SERVERS-64.12.186.85
 host 64.12.186.85
object network AIM_SERVERS-205.188.1.132
 host 205.188.1.132
object network AIM_SERVERS-205.188.11.228
 host 205.188.11.228
object network AIM_SERVERS-205.188.11.253
 host 205.188.11.253
object network AIM_SERVERS-205.188.11.254
 host 205.188.11.254
object network AIM_SERVERS-205.188.210.203
 host 205.188.210.203
object network AIM_SERVERS-64.12.24.0-23
 subnet 64.12.24.0 255.255.254.0
object network AIM_SERVERS-64.12.28.0-23
 subnet 64.12.28.0 255.255.254.0
object network AIM_SERVERS-64.12.161.0-24
 subnet 64.12.161.0 255.255.255.0
object network AIM_SERVERS-64.12.163.0-24
 subnet 64.12.163.0 255.255.255.0
object network AIM_SERVERS-64.12.200.0-24
 subnet 64.12.200.0 255.255.255.0
object network AIM_SERVERS-205.188.3.0-24
 subnet 205.188.3.0 255.255.255.0
object network AIM_SERVERS-205.188.5.0-24
 subnet 205.188.5.0 255.255.255.0
object network AIM_SERVERS-205.188.7.0-24
 subnet 205.188.7.0 255.255.255.0
object network AIM_SERVERS-205.188.9.0-24
 subnet 205.188.9.0 255.255.255.0
object network AIM_SERVERS-205.188.153.0-24
 subnet 205.188.153.0 255.255.255.0
object network AIM_SERVERS-205.188.179.0-24
 subnet 205.188.179.0 255.255.255.0
object network AIM_SERVERS-205.188.248.0-24
 subnet 205.188.248.0 255.255.255.0
object network Net_192.168.45.0m24
 subnet 192.168.45.0 255.255.255.0
object-group network AIM_SERVERS
 network-object object AIM_SERVERS-205.188.1.132
 network-object object AIM_SERVERS-205.188.248.0-24
 network-object object AIM_SERVERS-205.188.5.0-24
 network-object object AIM_SERVERS-205.188.210.203
 network-object object AIM_SERVERS-205.188.153.0-24
 network-object object AIM_SERVERS-205.188.179.0-24
 network-object object AIM_SERVERS-64.12.24.0-23
 network-object object AIM_SERVERS-64.12.161.0-24
 network-object object AIM_SERVERS-64.12.28.0-23
 network-object object AIM_SERVERS-64.12.163.0-24
 network-object object AIM_SERVERS-64.12.46.140
 network-object object AIM_SERVERS-205.188.7.0-24
 network-object object AIM_SERVERS-64.12.200.0-24
 network-object object AIM_SERVERS-205.188.11.253
 network-object object AIM_SERVERS-64.12.186.85
 network-object object AIM_SERVERS-205.188.11.228
 network-object object AIM_SERVERS-64.12.31.136
 network-object object AIM_SERVERS-205.188.11.254
 network-object object AIM_SERVERS-205.188.9.0-24
 network-object object AIM_SERVERS-205.188.3.0-24
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: Access_to_Internet
access-list NGFW_ONBOX_ACL advanced permit tcp ifc inside object Net_192.168.45.0m24 ifc outside object any-ipv4 eq domain rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc inside object Net_192.168.45.0m24 ifc outside object any-ipv4 eq www rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc inside object Net_192.168.45.0m24 ifc outside object any-ipv4 eq https rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced permit udp ifc inside object Net_192.168.45.0m24 ifc outside object any-ipv4 eq domain rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust ip ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
pager lines 23
logging timestamp
mtu diagnostic 1500
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (any,outside) source dynamic any-ipv4 interface
access-group NGFW_ONBOX_ACL global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
ip-client diagnostic ipv6
ip-client diagnostic
ip-client inside ipv6
ip-client inside
ip-client outside ipv6
ip-client outside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 0
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 policy 100
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev1 policy 160
 authentication pre-share
 encryption des
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.45.46-192.168.45.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
snort preserve-connection
Cryptochecksum:4d40fd250040a849e8dc3a09e3338b8a
: end

Are there any limitations/differences due to that being a virtual machine?

Thank you very much in advance,

Apostolos

Re: Cannot import FTD config file to FMC

matty-boy — Fri, 09 Nov 2018 09:20:29 GMT

Hi Apostolos,

As far as I am aware it's not possible to import an FTD image, only an ASA image.

That said you might be able to fudge it....

Make a copy of the config backup and change it as follows:-

* Replace "NGFW Version 6.2.3" with "ASA Version 9.X" at the top

* Edit any portions of the config that are Firepower specific (ACLs for example) to make them look like they came off an ASA.

Now try and use the ASA --> FTD conversion tool now. It might work. Fingers crossed. Good luck!

Cheers,

Matt.

Re: Cannot import FTD config file to FMC

ak085b — Fri, 09 Nov 2018 09:43:20 GMT

Thanks a lot Matt for your reply

So I will need to modify all ACLs..

This is some test environment. There will be a lot of work to be done for a pre-existing FTD. 😄

I will make the conversion and will update with my results

Thanks again,

Apostolos

Re: Cannot import FTD config file to FMC

CharlesNjora9180 — Tue, 18 Jun 2019 15:27:23 GMT

Hi Apostolos

were you successful ?

Regards

Charles

topic Re: Cannot import FTD config file to FMC in Network Security

Cannot import FTD config file to FMC

Re: Cannot import FTD config file to FMC

Re: Cannot import FTD config file to FMC

Re: Cannot import FTD config file to FMC