cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12812
Views
13
Helpful
38
Replies

ASA to FTD migration tool

seegomaa
Level 1
Level 1

Hello All,

I'm in trying to convert ASA configuration file to FTD but gettingbelow error on FMC virtual 

Error

Invalid ASA configuration file! Please pass a valid file.

I'm following Cisco guide I installed FMC virtual on VMWare and trying to upload the ASA configuration to convert it but stuck in the upload package step. ASA configuration file is .txt and ASA version is 9.2

38 Replies 38

Thanks seegomaa and prashant dwivedi ! You help me a lot with these notes.

Kind Regards.-

.

I did the migration and it was OK, but I need to know if I can migrate the ASA routing to FTD specially I've static routes, and if not is there a way to do this through csv file or any text editor as I've more than 1k routes.

Hi Ahmedelfeki,

Was your problem solved? We are also on the migration step. I wonder if the migrated config will apply the routing and the interface configuration to the FTD device.

Kind regards

Hey Seegomma, thanks for your reply.

 

 

So you used one security zone for each of interfaces on your existing ASA?

Can you please confirm if you have applied new ACLs under pre-filter or access control policy? Do we also need to worry about security level as this is with existing devices that allows all traffic from higher to lower level?

What command did you use to check the policies at the new FTD devices?

 

I don’t think there is auto-nat feature on FTD hence I Don’t see any need of configuring a NAT 0 or identity NAT for your traffic going from inside to DMZ segments. Your new FTD is running in cluster layer 2 mode ?

Hi Prashant,

So you used one security zone for each of interfaces on your existing ASA?

Yes 

Can you please confirm if you have applied new ACLs under pre-filter or access control policy?

ACL is applied under ACP . 

There is no security levels in the FTD. if there is no ACL match, default action in the bottom will apply.

Your new FTD is running in cluster layer 2 mode ?

FTD is running in HA. Firewall is running routed mode.  

could you please clarify what do you mean by Layer 2 mode ?

this is my email you can contact me:  mohamed.gbm@gmail.com

Hi seegomaa, you said that you have applied the new ACLs under ACP. In my case, we have more than 25K ACL on the ASA. How many ACLs did you migrate? I am thinking that in my case it would be more efficient pre-filter first and then ACP for deep inspection.

Thanks!

.

Hi 

i now thanks to you all , understand the process, but i have missing link to complete it , the old situation is ASA with FP module , i will back the configuration up ===> convert it ===> re-image the ASA to FTD ===> my question is here , what about the interfaces IP addresses and nameif , in order to add it to the FMC or what ,

thanks to advice  

Hey mate,

did you import your poilcy under Access-control and not under pre-fiter policy ?

 

I have feeling that when you import into into pre-filter you must have to have inteface-group configured and the security zone.

 

Later on, you need to assign these interface groups to the security zones. 

 

policies are based at interface-group name which is indirectly mapped to the secuirty zone .

 

 

I am dealing with layer 2 , hence packet tracer cant be much handy... 

Hi Seegomaa,

Once you import the config file to prod FMC, are the interface ip address configurations on FTD applied properly? 

Kind regards

I just have the same issue. I tried to add "  Written by admin at 06:37:47.509 UTC Thu Jan 5 2017 " at the exact same place in my config file as follows :

: Saved

:
: Serial Number: 
: Hardware: ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
: Written by admin at 06:37:47.509 UTC Thu Jan 5 2017

!
ASA Version 9.5(3)
!

It still says invalid ASA configuration file. Please Advise!!!!!!

thanks in advance. 

[@karthik.b4055]  ,

If you simply add the line in manually it will throw off the checksum of the file and may cause it to be marked invalid.

I'd suggest opening a TAC case to investigate fully. 

Hi Marvin,

I am uploading FWSM file to  FMC migration tool but its not accepting, dose anyone has migrate FWMS file here.

khanquisher  ,

A FWSM (Firewall Service Module) is not an ASA. Only ASA is supported as the source platform for the input configuration.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-migration-guide-620/asa2ftd_intro.html#id_28217

Hello Marvin,

Need your thought around enable logging on the ACPs rules.

As per the cisco document below when we convert the ASA to FTD , ACLs that have been configured to generate logs ( log keyword) would not be configured for logging once they have migrated to FMC. so the workaround is you need to go to each access control policies on FMC and enable logging ( start of the connection or end ) .. is there any workaround on the same?

I have around 300 entries and don't like doing it manually. 

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/asa2ftd-migration/asa2ftd-migration-guide-620/asa2ftd_conversion_mapping.html

It would seem that you should be able to do this via the API but I haven't the experience using that to say for sure whether or not it is possible. It would be a good lab experiment in any case!

If you are only doing it once though, it might be easier to just clickety click through all 300 rules.

Review Cisco Networking for a $25 gift card