Solved: Re: Cisco ASA to Firepower Migration

manvik · ‎03-06-2023

what's the best method to migrate all config, certificates from ASA 55xx device to Cisco firepower 3000 series.

Would backup and restore work?

As there are too many policies and configurations, it's not practical to manually config the new firewall. There is no FMC, only firepower FDM.

Rob Ingram · ‎03-07-2023

@manvik well that is different then. You are using firepower hardware running the ASA image, so yes you can mostly copy and paste configuration.

Physical Interfaces may change, you'll have to export and import certificates (if used) and use more system:running-config to get the plaintext pre-shared-key (if using). Bear in mind, depending on which ASA version you are using on the new hardware older insecure crypto algorthims have been depreciated, so you may need to reconfigure VPNs.

View solution in original post

Rob Ingram · ‎03-06-2023

@manvik unfortunately the Firepower Migration Tool is for migrating from ASA to FTD with FMC management not FDM.

Perhaps you could get a CDO evaluation, then migrate the configuration from ASA to the FDM.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/m_how_to_implement_migration.html

manvik · ‎03-06-2023

Any other methods other that CDO? is it possible to import running-config from ASA to firepower.

Rob Ingram · ‎03-06-2023

@manvik no, the FMT (Firepower Migration Tool) would be the best tool, but that is for FMC migrations only. A Virtual FMC is very cheap if that is an option.

Else, create some custom python scripts to import the ASA objects etc in bulk.

manvik · ‎03-06-2023

so i think we are stuck. no FMC, no python scripts.

Even if we had Firepower Migration Tool, would it migrate site-site VPN connections.

Rob Ingram · ‎03-06-2023

@manvik yes you can migrate VPN settings. The following link provides a list of configuration settings migrated using FMT.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/fp-migtool-release-notes.html

Marvin Rhoads · ‎03-06-2023

Then money spent on a small 2-device license of FMC (or even cloud-delivered FMC for CDO management) is much less than the cost of the hours (and potential for human error) involved in manually migrating a configuration line-by-line.

Managing anything other than an extremely simple single firewall configuration with FDM is a recipe for frustration and headaches. Believe me, I've tried it and I have decades of hands-on experience with firewalls.

manvik · ‎03-07-2023

there's a mistake in what i mentioned. the destination device is cisco firepower ASA. This means ASA backup& restore would work?

Cisco FPR3130-ASA-K9 means the one with FXOS?

Rob Ingram · ‎03-07-2023

@manvik well that is different then. You are using firepower hardware running the ASA image, so yes you can mostly copy and paste configuration.

Physical Interfaces may change, you'll have to export and import certificates (if used) and use more system:running-config to get the plaintext pre-shared-key (if using). Bear in mind, depending on which ASA version you are using on the new hardware older insecure crypto algorthims have been depreciated, so you may need to reconfigure VPNs.

manvik · ‎03-07-2023

Thank you @Rob Ingram and @Marvin Rhoads

Cisco FPR3130-ASA-K9 means the one with FXOS?

Rob Ingram · ‎03-08-2023

@manvik FXOS is the underlying operating system of the FPR3100 (and 2100/4100/9300 etc), where you configure the hardware/chassis related settings. On top of FXOS you run either ASA or FTD firewall image.

Marvin Rhoads · ‎03-08-2023

Adding to what @Rob Ingram noted, the Firepower 3100 series (as well as 1010, 1100 and 2100 series) all have the underlying FX-OS (Firepower eXtensible Operating System) bundled in with the ASA or FTD software image. So you do not download and upgrade it separately.

The Getting Started Guide is a good place to start!

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/getting-started/3100/secure-firewall-3100-gsg/asa.html#id_119800