Hi Marvin,

 The issue her is i'm using a virtual FMC in my lab as recommended by cisco so will they accept supporting this virtual FMC. 

You're right - labs and NFR gear can be challenging in that respect.

Do you have a target FTD device or FMC for this "migration" that's under support? That would work.

I have production FMC  under support. 

I found the issue. the line highlighted in blue was missing !!!. I don't understand why the tool gives error with such line.

!

after importing configuration file to production FMC i don't understand interface groups. I used to assign one interface to a zone earlier. but interface group is new for me.

can anyone explain what is interface groups vs zone.

Thank you 

Are object which can be used in ACP rules or wherever it requires to add an interface.

Hey Mate,

did you get your migration worked well ?

I am in the process of same migration, can you able to share your experience  and any special consideration that I many to think about. I mostly have ACLs in .. how did you deal with interface group and zoning ?

Hi Prashant,

I didn't get any clear clarifications on zones vs interface groups so  I ignored interfaces groups. i used only zones and removed all interfaces from interface groups. All my ACL and NAT are mapped to security zones only. Last Friday we migrated to FTD and it worked perfectly.

Please access cli and verify that the configuration is being pushed from FMC to FTD and you can take copy of the configuration also from the cli and compare it to your old ASA.

Please also try to use Packet trace in advanced troubleshooting tab to check which access rule and NAT rule your traffic will match before you migrate

Make sure you assign the ACP and NAT to the device. 

Still i have one question searching for answer.  In ASA to allow internal users to communicate with dmz servers we had to use NAT 0 or nat to the same ip. Do we still need to add such rules in the FTD ? all these rules already migrated and not sure what will happen if i remove them.

all the best.

An interface can only be assigned to a single zone but to multiple interface groups enabling much more flexibility.

Security -zone is similar to name-if, you need to apply ACL to a security zone, the same we have been doing to name-if ( inteface name).

Also, multiple interfaces can be the part of same security zone (  not sure if there is any limit) , this will ensure that same policies will be applied to all the interfaces participaiting in the same security-zone.

However, when we migrate ASA to FTD, it make sense to have 1 to 1 mapping between your ASA interfaces ( name-if) and the security zones . Let me know if anyone has other thought.

Hello seegomaa. Thanks for your post, in a few days I have to work with same migration.

Did you first convert ASA to FTD and then connected FTD to FMC?
How did you import ASA's configuration on the FTD?

What guide did you use?

I would be grateful for any help you are able to provide.

Thanks!

You can use Virtual FMC to convert ASA config to a format that can be directly uploaded into production FMC. However , for this your existing ASA should be running with the code 9.1 and above ( as per cisco docs).

You need to first connect FTD to your FMC in order to make any changes,HTH

Hi ortiz

As prashant mentioned, you need to use Lab virtual FMC. never use the production FMC for configuration conversion because  once you use it for conversion you can revert it back and disable the conversion tool ( anyone correct if mistaken please)

Did you first convert ASA to FTD and then connected FTD to FMC?

Please note that there are two different FMCs here, your production FMC which you will connect FTD to and lab FMC which will be used to convert ASA configuration.

How did you import ASA's configuration on the FTD?

I followed cisco  guide

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-migration-guide-620/asa2ftd_intro.html

simply take copy of ASA configuration then enable the tool on your lab FMC, then import ASA configuration. FMC will convert it then export it and import it to your production FMC