Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3210
Views
5
Helpful
3
Replies

Cannot import FTD config file to FMC

Go to solution
ak085b
Level 1
Level 1

‎11-09-2018 12:20 AM - edited ‎02-21-2020 08:27 AM

Hello all,

 

I hope you are all having a nice day.

 

I am facing the below issue:

 

I have FTD for Vmware:
Model : Cisco Firepower Threat Defense for VMWare (75) Version 6.2.3 (Build 83)

 

When I added the device into FMC everything was wiped out, except for the Management IP.

 

FMC Version: 

Cisco Firepower Management Center for VMWare v6.2.3 (build 83)

 

I had saved the config file before, and when I tried to import it into FMC I got the following error:

You must convert this ASA configuration to a Firepower Threat Defense configuration before importing it.
 
I installed a second FMC (with same version as previous one) to use as Migration Tool and when I tried to import it there I got the error:
invalid asa configuration file! please pass a valid file
 
As per the following documentation, the migration tool should only be used for ASA versions 9.1 to 9.7. This is not an ASA version.
 
On Internet I see only cases for ASA config to FMC, nothing from FTD config to FMC.
 
The config I'm trying to import into FMC is the following:
: Saved
: 
: Serial Number: *********
: Hardware:   ASAv, 8192 MB RAM, CPU Lynnfield 3503 MHz, 1 CPU (4 cores)
!
NGFW Version 6.2.3
!
hostname firepower
enable password $sha512$5000$ZrAIfX2KcH8PB5YgWkB70g==$R+kK8Ui1dBFPzcD5eUtl+g== pbkdf2
strong-encryption-disable
names

!
interface GigabitEthernet0/0
 nameif outside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address dhcp setroute
 ipv6 address autoconfig
 ipv6 enable
!
interface GigabitEthernet0/1
 nameif inside
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 ip address 192.168.45.1 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif diagnostic
 cts manual
  propagate sgt preserve-untag
  policy static sgt disabled trusted
 security-level 0
 no ip address
!
ftp mode passive
ngips conn-match vlan-id
object network any-ipv4
 subnet 0.0.0.0 0.0.0.0
object network any-ipv6
 subnet ::/0
object network AIM_SERVERS-64.12.31.136
 host 64.12.31.136
object network AIM_SERVERS-64.12.46.140
 host 64.12.46.140
object network AIM_SERVERS-64.12.186.85
 host 64.12.186.85
object network AIM_SERVERS-205.188.1.132
 host 205.188.1.132
object network AIM_SERVERS-205.188.11.228
 host 205.188.11.228
object network AIM_SERVERS-205.188.11.253
 host 205.188.11.253
object network AIM_SERVERS-205.188.11.254
 host 205.188.11.254
object network AIM_SERVERS-205.188.210.203
 host 205.188.210.203
object network AIM_SERVERS-64.12.24.0-23
 subnet 64.12.24.0 255.255.254.0
object network AIM_SERVERS-64.12.28.0-23
 subnet 64.12.28.0 255.255.254.0
object network AIM_SERVERS-64.12.161.0-24
 subnet 64.12.161.0 255.255.255.0
object network AIM_SERVERS-64.12.163.0-24
 subnet 64.12.163.0 255.255.255.0
object network AIM_SERVERS-64.12.200.0-24
 subnet 64.12.200.0 255.255.255.0
object network AIM_SERVERS-205.188.3.0-24
 subnet 205.188.3.0 255.255.255.0
object network AIM_SERVERS-205.188.5.0-24
 subnet 205.188.5.0 255.255.255.0
object network AIM_SERVERS-205.188.7.0-24
 subnet 205.188.7.0 255.255.255.0
object network AIM_SERVERS-205.188.9.0-24
 subnet 205.188.9.0 255.255.255.0
object network AIM_SERVERS-205.188.153.0-24
 subnet 205.188.153.0 255.255.255.0
object network AIM_SERVERS-205.188.179.0-24
 subnet 205.188.179.0 255.255.255.0
object network AIM_SERVERS-205.188.248.0-24
 subnet 205.188.248.0 255.255.255.0
object network Net_192.168.45.0m24
 subnet 192.168.45.0 255.255.255.0
object-group network AIM_SERVERS
 network-object object AIM_SERVERS-205.188.1.132
 network-object object AIM_SERVERS-205.188.248.0-24
 network-object object AIM_SERVERS-205.188.5.0-24
 network-object object AIM_SERVERS-205.188.210.203
 network-object object AIM_SERVERS-205.188.153.0-24
 network-object object AIM_SERVERS-205.188.179.0-24
 network-object object AIM_SERVERS-64.12.24.0-23
 network-object object AIM_SERVERS-64.12.161.0-24
 network-object object AIM_SERVERS-64.12.28.0-23
 network-object object AIM_SERVERS-64.12.163.0-24
 network-object object AIM_SERVERS-64.12.46.140
 network-object object AIM_SERVERS-205.188.7.0-24
 network-object object AIM_SERVERS-64.12.200.0-24
 network-object object AIM_SERVERS-205.188.11.253
 network-object object AIM_SERVERS-64.12.186.85
 network-object object AIM_SERVERS-205.188.11.228
 network-object object AIM_SERVERS-64.12.31.136
 network-object object AIM_SERVERS-205.188.11.254
 network-object object AIM_SERVERS-205.188.9.0-24
 network-object object AIM_SERVERS-205.188.3.0-24
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: Access_to_Internet
access-list NGFW_ONBOX_ACL advanced permit tcp ifc inside object Net_192.168.45.0m24 ifc outside object any-ipv4 eq domain rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc inside object Net_192.168.45.0m24 ifc outside object any-ipv4 eq www rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced permit tcp ifc inside object Net_192.168.45.0m24 ifc outside object any-ipv4 eq https rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL advanced permit udp ifc inside object Net_192.168.45.0m24 ifc outside object any-ipv4 eq domain rule-id 268435458 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust ip ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1
pager lines 23
logging timestamp
mtu diagnostic 1500
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (any,outside) source dynamic any-ipv4 interface
access-group NGFW_ONBOX_ACL global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
ip-client diagnostic ipv6
ip-client diagnostic
ip-client inside ipv6
ip-client inside
ip-client outside ipv6
ip-client outside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 0
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto ikev2 policy 100
 encryption des
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev1 policy 160
 authentication pre-share
 encryption des
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
!
dhcpd address 192.168.45.46-192.168.45.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
prompt hostname context
snort preserve-connection
Cryptochecksum:4d40fd250040a849e8dc3a09e3338b8a
: end
Are there any limitations/differences due to that being a virtual machine?
 
Thank you very much in advance,
Apostolos
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
matty-boy
Level 1
Level 1

‎11-09-2018 01:20 AM

Hi Apostolos,

 

As far as I am aware it's not possible to import an FTD image, only an ASA image.

 

That said you might be able to fudge it....

 

Make a copy of the config backup and change it as follows:-

   * Replace "NGFW Version 6.2.3" with "ASA Version 9.X" at the top

   * Edit any portions of the config that are Firepower specific (ACLs for example) to make them look like they came off an ASA.

 

Now try and use the ASA --> FTD conversion tool now. It might work. Fingers crossed. Good luck!

 

Cheers,

Matt.

View solution in original post

3 Replies 3

Go to solution
matty-boy
Level 1
Level 1

‎11-09-2018 01:20 AM

Hi Apostolos,

 

As far as I am aware it's not possible to import an FTD image, only an ASA image.

 

That said you might be able to fudge it....

 

Make a copy of the config backup and change it as follows:-

   * Replace "NGFW Version 6.2.3" with "ASA Version 9.X" at the top

   * Edit any portions of the config that are Firepower specific (ACLs for example) to make them look like they came off an ASA.

 

Now try and use the ASA --> FTD conversion tool now. It might work. Fingers crossed. Good luck!

 

Cheers,

Matt.

Go to solution
ak085b
Level 1
Level 1
In response to matty-boy

‎11-09-2018 01:43 AM

Thanks a lot Matt for your reply

 

So I will need to modify all ACLs..

 

This is some test environment. There will be a lot of work to be done for a pre-existing FTD. :D

 

I will make the conversion and will update with my results

 

Thanks again,

Apostolos

0 Helpful

Go to solution
CharlesNjora9180
Level 1
Level 1
In response to ak085b

‎06-18-2019 08:27 AM

Hi Apostolos

 

were you successful ?

 

Regards

 

Charles

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card