Showing results for 
Search instead for 
Did you mean: 

Ask Me Anything - How to migrate Cisco ASA to FTD

Community Manager
Community Manager

This topic is a chance to clarify your questions about the best practices and required elements to migrate your Cisco Adaptive Security Appliance (ASA) to Firepower Threat Defense (FTD).

Because of the continuous evolution of cybersecurity threats, it is always important to stay updated and protected. Firepower Threat Defense (FTD) is a next-generation firewall that is able to respond to existing or unknown threats. Its firewall features include access control through network conditions, user names, ports, inclusive applications or protocols, and the ability to establish VPN remote access or inter-site communication.

To participate in this event, please use the Join the Discussion : Cisco Ask the Expertbutton below to ask your questions

Ask questions from Wednesday 29th of January to Friday 14th of February, 2020

Featured expert
osvaldo.jpgOsvaldo Garcia is a presale engineer for global customers at Cisco Global Virtual Engineering (GVE). He works the entire Cisco Security portfolio, from FTD, AMP, Cloudclock, Cisco Umbrella, ESA, WSA and ISE to Meraki, among others. Osvaldo holds a Bachelor’s degree in Computer Technology from the Technical Institute of Monterrey. He holds a CCNP Security and a CCNP R&S certification. Osvaldo is currently pursing a CCIE certification.
Osvaldo might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Firewalls community.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions



Since there is a dedicated Win/Mac based migration tool that appears in all respects much more complete than the old FMCv based migration process, I assume that the migration tool based version is currently considered "best practise".  Can you confirm that?  Also is the FMCv based migration process going to be supported in addition to the migration tool going forward?  


Hi Steve,


Thanks for using our Cisco Community. Yes, as of now, both procedures are supported but as you mentioned the Migration tool is the best practice to migrate ASA to FTD.


Additional reference:


I hope this information helps,

Osvaldo G.

Thank you.


Hi ,

Migration from ASA to FTD was fine, however for site to site VPN, we have to create the NATing and access rule manually and also no VPN status view.


kindly advise.



Hi Ashley,


Thanks for contacting our Cisco Community. I'm not sure about what type of Site-to-site you have, if it's with certificates, IKEv1 or IKEv2. Nevertheless here is some helpful information that you can use to migrate this type of configuration:


Also, if you need additional information, you can take a look at the section "Related Documentation" in the following link:


Hope this helps you,

Osvaldo G.

@Jorge Garcia 


i have check the link you sent, it's a guide how to migrate and configure it manually, nothing like automatic migration, will it be possible in future version of the migration tool.



VIP Advisor VIP Advisor
VIP Advisor

We bought 2xFTD 2100 series to replace our ASA 5545. we are heavily based site-to-site vpn with ikev2 cert based. my question is in order to move from ASA to FTD can we use the  migration tool to convert our ASA ikev2 configuration to FTD or we have to manually create one by one ikev2 cert vpn?

we plan to deploy the FTD in active passive mode. any recommendation is highly appreciated.

please do not forget to rate.

Hi Sheraz,

Thanks for using our Cisco Community. For this type of migration I strongly recommend to follow this guide:


Migrating ASA to Firepower Threat Defense Site-to-Site VPN Using IKEv2 with Certificates


I hope you find it useful.

Have a great day!


Osvaldo G.


Hi Osvaldo Im just wondering if you could shine some light on my case. Im in the middle of a migration  from an ASA 5585 to a FTD-2130 the ftd will be my DR site and some applications are using  the self singed certificate of the ASA. My question is : can I migrate the self signed certificate of the Asa to the Ftd, even thou when the hostname and IP address will be diferent in my ftd? If that is possible should I import the self singed as a pcks12 file and installing in the FTD? I hope you can answer my question.



Thank  you very much!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: