Solved: ASA 5500 to Cisco Firepower 2110 ASA Appliance migration

Haroon321 · ‎08-24-2023

We have Cisco 5525 with 9.14.4 with ASDM 7.18 currently working and we have purchased Cisco Firepower 2110 ASA appliance. I need to confirm whether for migration we only need to copy the running configuration from ASA 5525 and paste it into Firepower 2110 ASA or if anything else needs to be done.

one more thing is that, after migration, Can we continue managing the new firewall through ASDM?

Rob Ingram · ‎08-24-2023

@Haroon321 it depends what you are using the ASA for, you may need to export certificates and import to the new ASA.Most of the configuration can be copied and pasted onto the new ASA, you should probably check the interfaces, they may differ.

Depending on the ASA version running on the new hardware you should be aware that some older weaker crypto algorithms for TLS/IKE/IPSec have been depreciated, so you may wish to confirm what is in use.

View solution in original post

Rob Ingram · ‎08-24-2023

@Haroon321 it depends what you are using the ASA for, you may need to export certificates and import to the new ASA.Most of the configuration can be copied and pasted onto the new ASA, you should probably check the interfaces, they may differ.

Depending on the ASA version running on the new hardware you should be aware that some older weaker crypto algorithms for TLS/IKE/IPSec have been depreciated, so you may wish to confirm what is in use.

Haroon321 · ‎08-24-2023

Hi Rob

can we manage cisco firepower 2110 ASA through ASDM?

Rob Ingram · ‎08-24-2023

@Haroon321 yes you can.

SS2020 · ‎08-24-2023

Hello all,

I have the same issues and not sure which certificates i need to remove over, I was told you only need a new cert if you run RAS but i am not in this case. I only use the firewalls for internet, site to site VPN and other security purposes.

Any ideas I will be appreciated.

Rob Ingram · ‎08-24-2023

@SS2020 if your Site-to-Site VPNs are using certificate authentication then you will need to export and import these certificates. If they use PSK, then you need to export these, you can see the plaintext PSK using "more system:running-config".

SS2020 · ‎08-24-2023

Hello Rob,

Thank you for the quick response. we use PSK. But how do i know for sure that I'm not using RAS the firewall is done by some other third parties 10 years ago. Could you tell me all the right commands to check the RAS configurations and current sessions if there exist please.

Rob Ingram · ‎08-24-2023

@SS2020 you can use the command "show vpn-sessiondb summary" https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/m_show_u-show_z.html#wp2807501790 this will confirm the active sessions.

If there are no active RAS sessions, you should check your configuration to determine whether the ASA is configured for AnyConnect or Clientless VPN connections.

SS2020 · ‎08-24-2023

Thank you so much Rob.

I have another question i have posted on the community but so far no one has replied me yet.

I have a FTD FXOS 2k it won't allow me to make any configurations only allows me to do show command but last week i was allow to make changes. any ideas please?

johnlloyd_13 · ‎08-24-2023

hi,

you'll need to check if it's using ASA version 9.13 and above so that it's running the 'appliance' mode (classic ASA).

check also with your vendor/cisco reseller for the smart license you'll need. the 3DES/AES is disabled by default (bummer!).

note the FPR 2100 ASA interfaces are now called "ethernet", so you'll need to edit your config accordingly.

yes, the box is still managed using ASDM.

refer to link below:

https://ccnpsecuritywannabe.blogspot.com/2023/02/cisco-firepower-2100-asa-appliance-mode.html