cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1869
Views
0
Helpful
10
Replies

ASA to FTD Migration Management Interface Config Question

jwornstaff
Level 1
Level 1

I'm in the process starting my first round of ASA to FTD device migrations and have concerns and questions regarding what to do with management interface on both during or for migration purposes.

My current ASA is attached to Firepower Management Center and managed by an inside interface not the management interface.

The ASA does not have an IP on the Management Interface but it is attached/connected to the Management VLAN on a switch, mainly because I was under impression that it was need to communicate with internal SFR IPS.

 

My new FTD is current has a management only IP and attached to Management VLAN switch, and is registered with FMC with that IP.

So my main question is, If I run the migration tool and deploy directly to the new FTD, is it going to erase the current management IP with the ASA migrated Config with no IP and render it in accessible?? Will the FMC stop communication with it?

i.e I need remote access to the device and management port

I want to have the both manageable and configurations ready to go on new FTD, until a maintenance window is available to move cables etc...unable to do it all at once.

Any migration scenarios that have worked for others?

1 Accepted Solution

Accepted Solutions

The FTD management IP is one of the few things not erased during a migration. Basically all of the bootstrap options you set during out of the box setup on FTD itself are unchanged. The data interface addresses and names, ACLs, NAT rules etc. will all get set with whatever is in the FMC policies.

View solution in original post

10 Replies 10

balaji.bandi
Hall of Fame
Hall of Fame

You can configure New FTD with Management config and register with FMC as normal and Migrate the config.

Once you Migration tool instead of Managing from Inside you use for ASA, you use FTD MGMT interface for management, rest all work as expected?

 

Since you are not touching the exiting kit or change, use a different Management IP address for FTD for Migration, is this workable?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The FTD has a different management IP then the ASA, however according the Migration Guide, it says that all current configs on the FTD will be erased, and as the ASA configs are migrated imported to the FTD, so that is why I'm concerned about the Current FTD IP being erased and either or both the migration failing since the current management IP being erase with the ASA config and/or losing remote access all together.

balaji.bandi
Hall of Fame
Hall of Fame

Personally - if the ASA has many Rule bases - it's hard to deploy them manually in FTD - then only i use Migration tools.

 

Yes, it does when you Migrate erase FTD config all. but i think it will not management part - can not recollect exactly, 

 

If they are less than 100, then it's time to consolidate them create manually so you have a chance to clean up or make necessary improvements in the Zone before you Migrate.

 

is this works for you ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Them current management IP on the FTD is the only thing I concerned about.

The ACL list is small, and would like to do the direct migrate and deploy to the new FTD device not manual.

I guess I will just run the migration and deployment and hope I don't lose connectivity to the device and the management IP does not get erased.

The FTD management IP is one of the few things not erased during a migration. Basically all of the bootstrap options you set during out of the box setup on FTD itself are unchanged. The data interface addresses and names, ACLs, NAT rules etc. will all get set with whatever is in the FMC policies.

Thanks Marvin, that is the the reassurance I was looking for. I doing a DEV net now, so not a big deal though a lot of folks are working remotely and using our DEV net, so still can afford to break it but it's not critical. Thanks!

Marvin, I have one other question maybe you can assistance. The new FTD 1010 is giving Health Error in the FMC, indicating the Cisco Diagnotic Configuration Failure - Cisco Cloud configuration Failure. It's possible I did not select the option during initial setup, as the FTD does not have direct internet access but the FMC has connection via internal proxy. Is there away to configure cisco cloud on the FTD after the fact i.e. via CLI or FMC...I can't find the configuration options.

Check your FMC under Settings (gear icon in top right) > Integration > Cloud Services

balaji.bandi
Hall of Fame
Hall of Fame

Personal i do not see any issue, if you lost after deployment, you still have access FTD console to fix Management IP and re-register with FMC. (since FTD is not in production it will not effect any production traffic here. as long as you are not connected any interface of FTD in Live networks.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I'm working remotely, however on this particular device I do have a console server attached to the console for remote access. However, going forward for a couple remote sites, some of which are OCONUS, I do not have that options, so If I lose connectivity, I'm on plane half way around the world.....Thanks for your assistance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: