Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1744
Views
5
Helpful
10
Replies

Migrate from Cisco ASA (Active/Standby) to Firepower - Best Practices

Go to solution
ravindra962
Level 1
Level 1

‎01-22-2020 05:49 AM - edited ‎02-21-2020 09:51 AM

Hello

I am about to migrate a Cisco ASA (Active Standby Cluster) to Firepower.

My ASA Cluster has L2L VPN Tunels (Policy based and Route Based) and Extended ACL's applied to different interfaces for Multiple Clients Traffic.

I am looking for Best Practices to do this migration so that it will have no impact on Production

Any Help here would be much appreciated.

Thanks

Ravi

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to ravindra962

‎01-29-2020 11:28 AM

Possibly the only thing I can thing of is the interfaces maybe different, so you'll have to investigate that.

Other than that you should be able to migrate the configuration. If you are using Pre-Shared Keys (PSK) then this is not displayed when you run "show run", so if you use the command "more system:running-config" this will display the PSK.

View solution in original post

10 Replies 10

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2020 06:00 AM

Hi,

Have a look at the Firepower Migration tool, this will assist in migrating from ASA to Firepower.

https://www.cisco.com/c/en/us/products/security/firewalls/firepower-migration-tool.html

 

Beware FTD does NOT currently support route based VPNs, you can only use policy based.

 

HTH

0 Helpful

Go to solution
ravindra962
Level 1
Level 1
In response to Rob Ingram

‎01-24-2020 08:09 AM

When you say it doesn't support Route based VPN, do you mean the Migration Tool doesn't support the route based VPN or the firewall itself doesn't support route based VPN

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ravindra962

‎01-24-2020 08:27 AM

The firewall (FTD) itself does not currently support route based VPNs, only policy based.
0 Helpful

Go to solution
ravindra962
Level 1
Level 1
In response to Rob Ingram

‎01-29-2020 06:43 AM

Is it Possible to Migrate the ASA code to Firepower without converting the ASA code to the Firepower code. Like a Cisco Firepower with ASA code

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ravindra962

‎01-29-2020 06:50 AM

If you mean can you run ASA code on the Firepower hardware (1000, 2100, 4000 or 9300 series appliances) then yes you can run either ASA or FTD.

HTH
0 Helpful

Go to solution
ravindra962
Level 1
Level 1
In response to Rob Ingram

‎01-29-2020 10:55 AM

So if run the ASA code then that migration is pretty easy or is there any limitations for that as well? or any compatibility issues

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ravindra962

‎01-29-2020 11:05 AM

If the existing firewall is an ASA HA pair then it should be a simple migration to the new ASA HA pair using the firepower hardware.
0 Helpful

Go to solution
ravindra962
Level 1
Level 1
In response to Rob Ingram

‎01-29-2020 11:23 AM

Thank you

This means there won't be any kind of configuration changes correct?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ravindra962

‎01-29-2020 11:28 AM

Possibly the only thing I can thing of is the interfaces maybe different, so you'll have to investigate that.

Other than that you should be able to migrate the configuration. If you are using Pre-Shared Keys (PSK) then this is not displayed when you run "show run", so if you use the command "more system:running-config" this will display the PSK.

Go to solution
ravindra962
Level 1
Level 1
In response to Rob Ingram

‎01-29-2020 12:54 PM

The Physical Interface Code for ASA will be changed to FXOS code.

The rest will be the same

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card