Solved: Re: 5516 Migration to FPR1140

scoutt · ‎04-20-2021

We are starting to configure new firewalls to replace our old 5516x. I'm trying to find the easiest way to accomplish this. My plan was going to migrate ACL/Rules to FMC from the 5516x (Done) and then hook up the new firewalls so FMC can at least talk and they can get licensed. These new firewalls won't be used for access control until they are all configured with the correct interfaces and rules. Then when configuration is done, we just move the cable from the old 5516 to the 1140's? Of course the Firepower IPs will be different. Can this be done this way? Is there a better way? Trying to limit downtime of course.

Our current setup with the old 5516 is FMC is not controlling the access, its just monitoring.

Rob Ingram · ‎04-20-2021

Ok, so a unique IP address for the management interface. So you can establish connectivity to the FMC and apply the configuration in advance of migration. Then yes, just swap cables or shutdown/no shutdown the interfaces on the switch.

View solution in original post

Rob Ingram · ‎04-20-2021

Hi @scoutt

If you are going to use different IP addresses on the FPR1140, then you can connect to the network and pre-configure the device and run in parallel to the 5516. When you are ready to cut over, just change the routing to route via the FPR1140 ip address instead of the 5516. Any issues, just change the routing back to the 5516 ip address.

HTH

scoutt · ‎04-20-2021

Thanks Rob,

Well, the only IP that will be different is the one to the FMC. We have to many things going to the current one. But it sounds like I can plug it all in just not connect the outside port. Right?

Rob Ingram · ‎04-20-2021

Ok, so a unique IP address for the management interface. So you can establish connectivity to the FMC and apply the configuration in advance of migration. Then yes, just swap cables or shutdown/no shutdown the interfaces on the switch.

scoutt · ‎04-20-2021

Well I just realized something. I will have to change the IP on the inside interface and get things configured and then change that interface back to the old IP when we go live. But that should work right?

Rob Ingram · ‎04-20-2021

You shouldn't need to do that. You have a dedicated management interface to manage the device, this is different to the inside interface. So you can leave inside interface and configure the device using the management interface, which has a separate IP address.

scoutt · ‎04-20-2021

posted it at the same time. lol.

Eric R. Jones · ‎04-20-2021

Were you also asking about moving the configuration from the old ASA to the new FTD's? There's a migration tool that can be run to assist in this. Due to changes in how NAT rules are handled it's probably a good idea to use it. When we migrated ourselves we brought up the FMC and FTDs. I've attached my short notes here, maybe they can be of service to you.

ej

scoutt · ‎04-20-2021

Thanks guys. I think I have it all squared away. Just plugging in the MGMT port and configuring it. We will run a couple cables and set different IP's to test and see if it passes traffic.

Thanks Eric for the text file. I will look it over. I already imported all the rules. But I may have to do it again as things changed already.