cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6480
Views
13
Helpful
38
Replies
Beginner

ASA to FTD migration tool

Hello All,

I'm in trying to convert ASA configuration file to FTD but gettingbelow error on FMC virtual 

Error

Invalid ASA configuration file! Please pass a valid file.

I'm following Cisco guide I installed FMC virtual on VMWare and trying to upload the ASA configuration to convert it but stuck in the upload package step. ASA configuration file is .txt and ASA version is 9.2

38 REPLIES 38
Hall of Fame Guru

I've only heard of one or two

I've only heard of one or two people trying out the migration tool and they were not happy with the experience.

I doubt you will get much input on your issue on the forums - I'd suggest going straight to a TAC case to save time.

Beginner

Hi Marvin,

Hi Marvin,

 The issue her is i'm using a virtual FMC in my lab as recommended by cisco so will they accept supporting this virtual FMC. 

Hall of Fame Guru

You're right - labs and NFR

You're right - labs and NFR gear can be challenging in that respect.

Do you have a target FTD device or FMC for this "migration" that's under support? That would work.

Beginner

I have production FMC  under

I have production FMC  under support. 

Beginner

I found the issue. the line

I found the issue. the line highlighted in blue was missing !!!. I don't understand why the tool gives error with such line.

!

: Saved
: Serial Number: *********
: Hardware:   ASA5585-SSP-20, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 1 CPU (8 cores)
: Written by admin at 06:37:47.509 UTC Thu Jan 5 2017
!
ASA Version 9.2(4) 
!
hostname xxxxxx
domain-name xxx.xxx
!
!
Beginner

after importing configuration

after importing configuration file to production FMC i don't understand interface groups. I used to assign one interface to a zone earlier. but interface group is new for me.

can anyone explain what is interface groups vs zone.

Thank you 

Cisco Employee

Are object which can be used

Are object which can be used in ACP rules or wherever it requires to add an interface.

Hey Mate,

Hey Mate,

did you get your migration worked well ?

I am in the process of same migration, can you able to share your experience  and any special consideration that I many to think about. I mostly have ACLs in .. how did you deal with interface group and zoning ?

Beginner

Hi Prashant,

Hi Prashant,

I didn't get any clear clarifications on zones vs interface groups so  I ignored interfaces groups. i used only zones and removed all interfaces from interface groups. All my ACL and NAT are mapped to security zones only. Last Friday we migrated to FTD and it worked perfectly.

Please access cli and verify that the configuration is being pushed from FMC to FTD and you can take copy of the configuration also from the cli and compare it to your old ASA.

Please also try to use Packet trace in advanced troubleshooting tab to check which access rule and NAT rule your traffic will match before you migrate

 

Make sure you assign the ACP and NAT to the device. 

Still i have one question searching for answer.  In ASA to allow internal users to communicate with dmz servers we had to use NAT 0 or nat to the same ip. Do we still need to add such rules in the FTD ? all these rules already migrated and not sure what will happen if i remove them.

all the best.

An interface can only be

An interface can only be assigned to a single zone but to multiple interface groups enabling much more flexibility.

Security -zone is similar to

Security -zone is similar to name-if, you need to apply ACL to a security zone, the same we have been doing to name-if ( inteface name).

Also, multiple interfaces can be the part of same security zone (  not sure if there is any limit) , this will ensure that same policies will be applied to all the interfaces participaiting in the same security-zone.

However, when we migrate ASA to FTD, it make sense to have 1 to 1 mapping between your ASA interfaces ( name-if) and the security zones . Let me know if anyone has other thought.

Frequent Contributor

Hello seegomaa. Thanks for

Hello seegomaa. Thanks for your post, in a few days I have to work with same migration.

Did you first convert ASA to FTD and then connected FTD to FMC?
How did you import ASA's configuration on the FTD?

What guide did you use?

I would be grateful for any help you are able to provide.

Thanks!

.

You can use Virtual FMC to

You can use Virtual FMC to convert ASA config to a format that can be directly uploaded into production FMC. However , for this your existing ASA should be running with the code 9.1 and above ( as per cisco docs).

You need to first connect FTD to your FMC in order to make any changes,HTH

Beginner

Hi ortiz

Hi ortiz

As prashant mentioned, you need to use Lab virtual FMC. never use the production FMC for configuration conversion because  once you use it for conversion you can revert it back and disable the conversion tool ( anyone correct if mistaken please)

Did you first convert ASA to FTD and then connected FTD to FMC?

Please note that there are two different FMCs here, your production FMC which you will connect FTD to and lab FMC which will be used to convert ASA configuration.

How did you import ASA's configuration on the FTD?

I followed cisco  guide

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-migration-guide-620/asa2ftd_intro.html

simply take copy of ASA configuration then enable the tool on your lab FMC, then import ASA configuration. FMC will convert it then export it and import it to your production FMC