ASA Firepower

onikaycee · ‎02-12-2021

Hello,
Please I am tasked with migrating 3 different ASAs into Firepower, I am trying to use the migration tool which seems faster but my problem is each time I connect the migration tool to each ASA, a new policy package is generated hence this will overwrite the previous policy package from another ASA

please is there a way i could do this seamlessly? there are a thousand NAT statements and also over 700 ACL statements with tonnes of Network Objects.

Please advise

Marvin Rhoads · ‎02-12-2021

If you are looking to merge three separate ASAs into one Firepower Threat Defense appliance, that is not currently supported with the Firepower Migration Tool. The process I've followed is to

1. clean up all of the source configurations - removing unused objects, ACLs and ACL entries.

2. Migrate the largest ASA configuration first to minimize the remaining work.

3. Migrate #2 and #3 selecting only objects when you migrate. That will write them all to the target FMC and this save you some work when creating the remaining NAT statements and ACP entries later on.

Marius Gunnerud · ‎02-12-2021

Optionally, you can look into scripting this. For example, you could save all the ASA configurations into three separate text files, then write a script that parses the text files, extracts the required data you are looking to migrate, and then send it to the FMC using API. Of course creating this script might take a little time depending on your coding experience, but I will assume it will take less time than manually migrating the required rules and you will be learning something new in the process.

--
Please remember to select a correct answer and rate helpful posts