cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1223
Views
6
Helpful
11
Replies

Cisco ASA to Firepower Migration

manvik
Level 3
Level 3

what's the best method to migrate all config, certificates from ASA 55xx device to Cisco firepower 3000 series.

Would backup and restore work?

As there are too many policies and configurations, it's not practical to manually config the new firewall. There is no FMC, only firepower FDM.

1 Accepted Solution

Accepted Solutions

@manvik well that is different then. You are using firepower hardware running the ASA image, so yes you can mostly copy and paste configuration.

Physical Interfaces may change, you'll have to export and import certificates (if used) and use more system:running-config to get the plaintext pre-shared-key (if using). Bear in mind, depending on which ASA version you are using on the new hardware older insecure crypto algorthims have been depreciated, so you may need to reconfigure VPNs.

View solution in original post

11 Replies 11

@manvik unfortunately the Firepower Migration Tool is for migrating from ASA to FTD with FMC management not FDM.

Perhaps you could get a CDO evaluation, then migrate the configuration from ASA to the FDM.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/m_how_to_implement_migration.html

 

manvik
Level 3
Level 3

Any other methods other that CDO? is it possible to import running-config from ASA to firepower.

@manvik no, the FMT (Firepower Migration Tool) would be the best tool, but that is for FMC migrations only. A Virtual FMC is very cheap if that is an option.

Else, create some custom python scripts to import the ASA objects etc in bulk.

manvik
Level 3
Level 3

so i think we are stuck. no FMC, no python scripts. 

Even if we had Firepower Migration Tool, would it migrate site-site VPN connections.

@manvik yes you can migrate VPN settings. The following link provides a list of configuration settings migrated using FMT.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/fp-migtool-release-notes.html

 

Then money spent on a small 2-device license of FMC (or even cloud-delivered FMC for CDO management) is much less than the cost of the hours (and potential for human error) involved in manually migrating a configuration line-by-line.

Managing anything other than an extremely simple single firewall configuration with FDM  is a recipe for frustration and headaches. Believe me, I've tried it and I have decades of hands-on experience with firewalls.

manvik
Level 3
Level 3

there's a mistake in what i mentioned. the destination device is cisco firepower ASA. This means ASA backup& restore would work?

Cisco FPR3130-ASA-K9 means the one with FXOS?

@manvik well that is different then. You are using firepower hardware running the ASA image, so yes you can mostly copy and paste configuration.

Physical Interfaces may change, you'll have to export and import certificates (if used) and use more system:running-config to get the plaintext pre-shared-key (if using). Bear in mind, depending on which ASA version you are using on the new hardware older insecure crypto algorthims have been depreciated, so you may need to reconfigure VPNs.

manvik
Level 3
Level 3

Thank you @Rob Ingram and @Marvin Rhoads 

Cisco FPR3130-ASA-K9 means the one with FXOS?

@manvik FXOS is the underlying operating system of the FPR3100 (and 2100/4100/9300 etc), where you configure the hardware/chassis related settings. On top of FXOS you run either ASA or FTD firewall image.

Adding to what @Rob Ingram noted, the Firepower 3100 series (as well as 1010, 1100 and 2100 series) all have the underlying FX-OS (Firepower eXtensible Operating System) bundled in with the ASA or FTD software image. So you do not download and upgrade it separately.

The Getting Started Guide is a good place to start!

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/getting-started/3100/secure-firewall-3100-gsg/asa.html#id_119800

Review Cisco Networking for a $25 gift card