cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11482
Views
13
Helpful
38
Replies

ASA to FTD migration tool

seegomaa
Level 1
Level 1

Hello All,

I'm in trying to convert ASA configuration file to FTD but gettingbelow error on FMC virtual 

Error

Invalid ASA configuration file! Please pass a valid file.

I'm following Cisco guide I installed FMC virtual on VMWare and trying to upload the ASA configuration to convert it but stuck in the upload package step. ASA configuration file is .txt and ASA version is 9.2

38 Replies 38

Marvin Rhoads
Hall of Fame
Hall of Fame

I've only heard of one or two people trying out the migration tool and they were not happy with the experience.

I doubt you will get much input on your issue on the forums - I'd suggest going straight to a TAC case to save time.

Hi Marvin,

 The issue her is i'm using a virtual FMC in my lab as recommended by cisco so will they accept supporting this virtual FMC. 

You're right - labs and NFR gear can be challenging in that respect.

Do you have a target FTD device or FMC for this "migration" that's under support? That would work.

I have production FMC  under support. 

I found the issue. the line highlighted in blue was missing !!!. I don't understand why the tool gives error with such line.

!

: Saved
: Serial Number: *********
: Hardware:   ASA5585-SSP-20, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 1 CPU (8 cores)
: Written by admin at 06:37:47.509 UTC Thu Jan 5 2017
!
ASA Version 9.2(4) 
!
hostname xxxxxx
domain-name xxx.xxx
!
!

after importing configuration file to production FMC i don't understand interface groups. I used to assign one interface to a zone earlier. but interface group is new for me.

can anyone explain what is interface groups vs zone.

Thank you 

Are object which can be used in ACP rules or wherever it requires to add an interface.

Hey Mate,

did you get your migration worked well ?

I am in the process of same migration, can you able to share your experience  and any special consideration that I many to think about. I mostly have ACLs in .. how did you deal with interface group and zoning ?

Hi Prashant,

I didn't get any clear clarifications on zones vs interface groups so  I ignored interfaces groups. i used only zones and removed all interfaces from interface groups. All my ACL and NAT are mapped to security zones only. Last Friday we migrated to FTD and it worked perfectly.

Please access cli and verify that the configuration is being pushed from FMC to FTD and you can take copy of the configuration also from the cli and compare it to your old ASA.

Please also try to use Packet trace in advanced troubleshooting tab to check which access rule and NAT rule your traffic will match before you migrate

 

Make sure you assign the ACP and NAT to the device. 

Still i have one question searching for answer.  In ASA to allow internal users to communicate with dmz servers we had to use NAT 0 or nat to the same ip. Do we still need to add such rules in the FTD ? all these rules already migrated and not sure what will happen if i remove them.

all the best.

An interface can only be assigned to a single zone but to multiple interface groups enabling much more flexibility.

Security -zone is similar to name-if, you need to apply ACL to a security zone, the same we have been doing to name-if ( inteface name).

Also, multiple interfaces can be the part of same security zone (  not sure if there is any limit) , this will ensure that same policies will be applied to all the interfaces participaiting in the same security-zone.

However, when we migrate ASA to FTD, it make sense to have 1 to 1 mapping between your ASA interfaces ( name-if) and the security zones . Let me know if anyone has other thought.

Hello seegomaa. Thanks for your post, in a few days I have to work with same migration.

Did you first convert ASA to FTD and then connected FTD to FMC?
How did you import ASA's configuration on the FTD?

What guide did you use?

I would be grateful for any help you are able to provide.

Thanks!

.

You can use Virtual FMC to convert ASA config to a format that can be directly uploaded into production FMC. However , for this your existing ASA should be running with the code 9.1 and above ( as per cisco docs).

You need to first connect FTD to your FMC in order to make any changes,HTH

Hi ortiz

As prashant mentioned, you need to use Lab virtual FMC. never use the production FMC for configuration conversion because  once you use it for conversion you can revert it back and disable the conversion tool ( anyone correct if mistaken please)

Did you first convert ASA to FTD and then connected FTD to FMC?

Please note that there are two different FMCs here, your production FMC which you will connect FTD to and lab FMC which will be used to convert ASA configuration.

How did you import ASA's configuration on the FTD?

I followed cisco  guide

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-migration-guide-620/asa2ftd_intro.html

simply take copy of ASA configuration then enable the tool on your lab FMC, then import ASA configuration. FMC will convert it then export it and import it to your production FMC

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: