Re: Firewall Migration Tool ASA - FTD

keithcclark71 · ‎06-16-2022

Hey guys I was wondering what the norm is for moving configs off of ASA platform over to FTD's. So if I have an old 1st gen ASA5505 with a fairly complex config (Tunnel Groups, Crypto Maps, NAT, Remote VPN, Access-list mile long) am I better off doing the manual way of recreating the config on the FMC then deploying to the FTD and hoping I got everything correct? Or in this day and age has Cisco's Firewall Migration Tool evolved enough for me to ingest the ASA config into it then have it transferred into the FMC and then deployed to the FTD ??? What you guys think?

rhuysmans · ‎06-16-2022

There are few things that the Firepower migration tool doesn't do, eg does not migrate extended service objects or you must manually migrate time zone configuration, but overall the migration tool is the much better option than trying to do the migration by hand. Once you get the gist of it you'll never go back. It'll save you many hours of work.

keithcclark71 · ‎06-19-2022

Hey Rhuysmans it's been awile and my terminology is failing me in the "Extended service objects". Can you give me anm example what these are? Do you mean the DM_Inline auto created Groups?

rhuysmans · ‎06-19-2022

Hi keithcclark71,

looking at the Release Notes, I believe that the Extended service objects refers service objects configured for a source and destination.

"Though the Firewall Migration Tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality."

Here's a useful link to the Migration Tool FAQ. Shows what new features are supported with each release.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/ASA2FTD-with-FP-Migration-Tool_chapter_0111.html

Cheers.

Marvin Rhoads · ‎06-16-2022

Definitely use the migration tool. I've migrated over a dozen firewalls using it and have no regrets. It's gives you a report of exactly what was not migrated and allows you to manually address those items outside the tool.

My experience is that is generally covers about 95% of the job in under an hour - something that would take all day or all week depending on the source configuration's complexity.

I also recommend doing a pre-migration config scrub first using something like tunnelsup.com or Cisco CLI Analyzer tools.

keithcclark71 · ‎06-17-2022

Marvin i'm in a jam because the ASA's I am responsible to migrate to newly purchased FTD1010s are 5505 ASA 8.2 Bin and I need ASA 8.4 Bin. Of course I'm the lead engineer for this big project and get thrown into it only to find the onsite IT folks don't bother to upgrade anything and now it's screwing me over (Sorry little bit of a rant i'm extremely frustrated)

I only have asa916-1-smp-k8.bin which I don't think I can re-image these legacy ASA's with this interim bin. IThe firewall migration tool looks to only support commands from the 8.4 release and later. I was hoping I could just re-image to 8.4 and run the tool but man I guess I have 0 luck. I'm finding myself browsing flash of any ASA's I have access to to try and find 8.4 bin but have come up empty.

Marvin Rhoads · ‎06-17-2022

The ASA images with "smp" in the image name are for ASA 5500-X series only. Those have multi-core CPUs (Symmetric Multi-core Processors).

The ASA 5505 can run any of the images found here:

https://software.cisco.com/download/home/280582808/type/280775065/release/9.2.4%20Interim

ASA 8.2 can be updated directly to 9.0(4)42 (asa904-42-k8.bin) which is still available on that downloads page. The upgrade path is confirmed here:

https://www.cisco.com/c/en/us/td/docs/security/asa/upgrade/asa-upgrade/planning.html#id_58680

Note however that the ASA 5505 is not an officially supported source platform for FMT:

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/b_Migration_Guide_ASA2FTD_chapter_0111.html#id_70647

I'm not sure if/how it would parse an ASA 5505 offline config file and convert it. I'd suggest upgrading one in the lab and giving it a try (if you have access to a spare unit).

That said, how much config is actually on the ASA 5505s? If they are mostly simple and the same, you can just create a common ACP and NAT policy in FMC and then just build each new firewall manually and apply the same policies to them as a group.

keithcclark71 · ‎06-17-2022

Thanks Marvin the existing production configs are pretty complex in that there exist 4 ASA 5505's which are close to being meshed topology and have hairpin vpn outside crypto maps and extensive tunnel groups which all have pre-shared keys which i exposed with the More running config cmd, several group policies , lots of local usernames and passwords I assume for remote user VPN's . SLA for backup route & Dhcpd , asdm location lines like 100 of them which I will manually scrub before trying the FMT. Some users VPN into site A and hairpin to Site B & C . The admins also static IP assigned all their internal workstations for purpose of creating groups to control outbound access to certain destinations so there is like 200 host objects for he internal subnet at one of the locations.

I downloaded the bin and can't thank you enough for the help you have assisted me with through the years. This project is going to be a muddy one regardless and if that migration tool can get a lot of the settings over it will be a big help. I used it a long time ago and it was easier to do manual migration. I have a lot of time invested in Cisco and the more I can learn from this project then hopefully one day I can pay it forward by being more active in the community here. Appreciate it