This topic is a chance to clarify your questions about the best practices and required elements to migrate your Cisco Adaptive Security Appliance (ASA) to Firepower Threat Defense (FTD).
Because of the continuous evolution of cybersecurity threats, it is always important to stay updated and protected. Firepower Threat Defense (FTD) is a next-generation firewall that is able to respond to existing or unknown threats. Its firewall features include access control through network conditions, user names, ports, inclusive applications or protocols, and the ability to establish VPN remote access or inter-site communication.
To participate in this event, please use the button below to ask your questions
Ask questions from Wednesday 29th of January to Friday 14th of February, 2020
**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions
Since there is a dedicated Win/Mac based migration tool that appears in all respects much more complete than the old FMCv based migration process, I assume that the migration tool based version is currently considered "best practise". Can you confirm that? Also is the FMCv based migration process going to be supported in addition to the migration tool going forward?
Thanks for using our Cisco Community. Yes, as of now, both procedures are supported but as you mentioned the Migration tool is the best practice to migrate ASA to FTD.
I hope this information helps,
Migration from ASA to FTD was fine, however for site to site VPN, we have to create the NATing and access rule manually and also no VPN status view.
Thanks for contacting our Cisco Community. I'm not sure about what type of Site-to-site you have, if it's with certificates, IKEv1 or IKEv2. Nevertheless here is some helpful information that you can use to migrate this type of configuration:
Also, if you need additional information, you can take a look at the section "Related Documentation" in the following link:
Hope this helps you,
i have check the link you sent, it's a guide how to migrate and configure it manually, nothing like automatic migration, will it be possible in future version of the migration tool.
We bought 2xFTD 2100 series to replace our ASA 5545. we are heavily based site-to-site vpn with ikev2 cert based. my question is in order to move from ASA to FTD can we use the migration tool to convert our ASA ikev2 configuration to FTD or we have to manually create one by one ikev2 cert vpn?
we plan to deploy the FTD in active passive mode. any recommendation is highly appreciated.
Thanks for using our Cisco Community. For this type of migration I strongly recommend to follow this guide:
Migrating ASA to Firepower Threat Defense Site-to-Site VPN Using IKEv2 with Certificates
I hope you find it useful.
Have a great day!
Hi Osvaldo Im just wondering if you could shine some light on my case. Im in the middle of a migration from an ASA 5585 to a FTD-2130 the ftd will be my DR site and some applications are using the self singed certificate of the ASA. My question is : can I migrate the self signed certificate of the Asa to the Ftd, even thou when the hostname and IP address will be diferent in my ftd? If that is possible should I import the self singed as a pcks12 file and installing in the FTD? I hope you can answer my question.
Thank you very much!