cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1417
Views
0
Helpful
5
Replies

Best practices to migrate two ASA firewalls in standalone mode operating in a critical network to Firepower 2130 in failover act/act and Multiple Context

Hannibal
Level 1
Level 1

Hi Community

 

I would like to know if the community has had experiences or any discussion about the best practices to migrate two ASA firewalls in standalone mode operating in a critical network.

 

The process is to migrate the two ASAs to new Firepower hardware with ASA image. in Multiple Context and Failover Active Active.

 

Each ASA old ASA will pass as a Context on the new hardware. It is very interesting what I should do so I would like to know about the experiences in these cases.

 

In other words, Best practices for hardware migration from ASA Firewall to Firepower 2130 with active active failover ASA image and multiple contexts within a network in critical operation.

 

Thank you in advance, Community

5 Replies 5

these are the steps I would follow.

1. rack mount new Firepower hardware

2. shutdown switch interfaces new Firepower will connect to and configure the interfaces as required with regards to Trunk, access ports, etc.

3. cable the Firepower interfaces to the newly configured switch interfaces

4. bootup new firepower hardware with ASA image

5. upgrade the image to latest recommended software release

6. create the required contexs and assign the required physical or logical interfaces

7. copy old ASA configuration to the new Firepower and into their respective contexts and verify all configuration has been copied over correctly.

8. Shutdown switch interfaces of the old ASAs (For the cutover I would suggest being onsite incase you lose connectivity to the devices)

9. no shut switch interfaces for new Firepower (For the cutover I would suggest being onsite incase you lose connectivity to the devices)

10. verify network connectivity

 

Rollback,

1. shutdown switch interfaces for new Firepower

2. no shut switch interfaces for old ASAs

--
Please remember to select a correct answer and rate helpful posts

Hannibal
Level 1
Level 1

Hi Marius,
Excellent this your response on this topic that I consider important and useful to the community.

We can complicate it a bit more because it is my real case. In addition to replacing the old ASAs, the new Firepower with ASA image will be installed within the same Data Center on other switches. They will continue in the same distribution layer but now in a stack made up of new Catalys C9300 switches.

 

What should we consider when configuring the new switches? What should we copy from the ports of the switches where the old ASAs are installed to the ports of the Stack where the new Firepower 2130 with ASA image will be installed. I have heard of the use of transitional VLANs, IP addresses, etc.

 

What other aspects should we consider in the migration process?

 

What about Vlans layer 3 and Vlans Layer 2 routing

 

In another building, there will be the redundant Data Center where we will have the secondary Firepower.

 

Remember, Failover Active Active and Multiple contexts

 

With best regards and thanks again

What should we consider when configuring the new switches?

I am not entirely sure what you are asking for here.  The switchports should be identical to the ones that the ASAs are connected to since this is a migration and not a completely new installation.  This also depends on if you want to do a clean cutover or run the two installations parallel for a controlled cutover.

For a controlled cutover you would need separate IPs for the new Firepower2130 devices within the same subnets as those corresponding on the old ASAs. Assign these IPs to the corresponding interfaces on the Firepower devices and then for cutover change the default gateway in the DHCP server and on any device with static configuration.

For this to work you would also need a "transit" link between the switches the ASA and Firepower are connected to.  Depending on how many VLANs there are connecting to the firewalls, you might be better off allowing all VLANs of the inter-switch trunk link.  If it is just a few, then I would restrict the VLANs allowed over the trunk (assuming that this link will be a temporary link that is).

 

What other aspects should we consider in the migration process?

Without knowing the network, this is difficult to identify. But a few general things come to mind.

- Identify if you want to do a clean cutover or a controlled migration (both have their advantages and disadvantages)

- Make an action plan for the migration as well as a rollback plan

- Check and double check the configuration that has been migrated

- Identify any services that are known to be "moody" when losing connection to the network and create a plan for getting them online again should they act up.

- Make sure you have the correct people on call to perform tests and/or help troubleshoot issues should they arise.

 

What about Vlans layer 3 and Vlans Layer 2 routing

This depends on where the L3 routing is happening.  L2 depends on if the old switches will remain in the network or not.

L2 isn't too difficult to get around as this might just require pulling cables between switches.  The L3 routing might need to be considered depending on where the routing is being performed.  This could be solved by either (as mentioned earlier) using IPs within the same subnet but allocating them to the new Firepower 2130 or new switches depending on where the routing is done.  Alternatively you could create a completely new IP plan and use that instead.  This is assuming you are not going to perform a clean cutover.

 

--
Please remember to select a correct answer and rate helpful posts

Hannibal
Level 1
Level 1

Hi, Marius

Excellent comments, now our team is going to update the Firepower operating system. We have also found that the software versions of the ASAs are very old and the command differences, for example, for NATs vary too much.

We are going to have to do these tools (https://www.tunnelsup.com/config-cleanup/) and (https://www.tunnelsup.com/). Do you know them?

 

Really each ASA configuration file is very large and we must use this type of tool to save time.

 

With best regards

I have never used any of these tools so I do not have any comment regarding how they perform.  However, even though it states that these are purely client side operations, I would strongly recommend removing any and all usernames and passwords before pasting the running configuration into the tool.

What version ASA are you running.  The NAT and ACL changes you refer to came in version 8.3+ and haven't really changed much since.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: