01-04-2021 04:13 PM
Hi team!
I have ASA5515-x and FTD2100. I'm willing to migrate from ASA to FTD so i used Firepower Migration Tool. ASA has one physical interface for each zone, but on FTD i want to create etherchannel for each zone for redundancy. Is it possible to move configuration from physical interface to port-channel somehow?
01-05-2021 04:24 AM
Then you can not use 100% migration tool, you can do offline that changes and required testing also before you make live.
01-05-2021 03:04 PM
I've deleted device from FMC and added it again without any configuration. After that manually created Port-Channels and subinterfaces on them. Firepower Migration Tool can see and map ASA interfaces on Port-Channels but not on subinterfaces.
Why? What's the limitation for subinterfaces? In documentation https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CP/CP2FTD-with-FP-Migration-Tool/CP2FTD-with-FP-Migration-Tool_chapter_010.html there is nothing about it, just - "Subinterfaces are not created by the Firepower Migration Tool. Only interface mapping is allowed between physical interfaces, port channel, or subinterfaces"
Also tried to change ASA configuration manually in notepad - move interface configuration to subinterface like that
interface GigabitEthernet0/0 no nameif no security-level no ip address ! interface GigabitEthernet0/0.1 vlan 1 nameif outside security-level 0 ip address 1.1.1.1 255.255.255.248 standby 1.1.1.2
But FMT doesn't see subinterfaces in that file as well
01-05-2021 11:11 PM
That's a current limitation of both the FMT as well as the online migration tool in CDO. I had to go through similar pain in a recent migration. I have since brought it up with the Cisco product team as an unwelcome shortcoming as it can result in a fair amount of unnecessary extra work to change things later. Hopefully future release will incorporate the ability to map to subinterfaces (with or without Etherchannels).
01-05-2021 09:34 PM
I may be not done, the Migration tool does not give the ability to make complete topology change. this tool simple ACL rule conversation based on exiting to new.
if this is not a big rule base I do it manually and now you got a chance to get rid of old rules which redundant moving forward with the new setuo.
01-06-2021 12:56 PM
Found the solution - created on both devices (for ASA did it in notepad) Port-Channels with the same numbers, move in notepad ASA config from physical interfaces to Port-Channel subinterfaces and pushed it to Firepower Migration Tool - migration tool created by itself same subinterfaces for FTD
01-06-2021 11:19 PM
Yes that will work as an interim workaround if it is one portchannel subinterface to another portchannel subinterface. In my case I was trying to map multiple source ASA physical interfaces a a single portchannel on FTD with subinterfaces corresponding to the multiple physical interfaces. Maybe I could have gotten it to work if I had more extensively hand-modified the source ASA config to fool the tool into thinking they all started out as subinterfaces on a single interface
01-07-2021 02:34 AM
Good you cracked, since software not know what you done, so you change the config bluff the tool so it can migrate as it is..
good stufff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide