Re: FTD migration tool and destination zone

lanab · ‎04-28-2023

I am using the latest FTD migration tool to move contexts from our old ASA5585 to FMC without FTD.

There is a major problem when doing this conversion as their is no way the tool can apply the destination zone i want and configured it to, it sets it to ANY with no other choice.

This is a problem as we have thousands of ACLs that needs the correct destination zone.

How can we solve this problem, how do we change the destination zone from ANY to XYC for all ACLs?

Marvin Rhoads · ‎04-28-2023

Generally the target zones will be configured and associated with interfaces / interfaces groups on a target FTD managed by the FMC. Is it that you don't have a target FTD available yet?

lanab · ‎04-28-2023

We have no target FTD now as we have like 50 contexts we are migrating from, we want to create the in FMC first.

lanab · ‎04-28-2023

Is there any text file in CLI i could edit and just replace all ANY to the zone we want?

Marvin Rhoads · ‎04-28-2023

There's no cli source file option that I'm aware of being able to use.

We have to migrate to a target device to get zones because anything associated with interfaces is not migrated/populated when we choose to "proceed without FTD" as a target device.

I wonder if you could just spin up a single FTDv and use it (over and over) for the various contexts?

lanab · ‎04-29-2023

I tried to spin up an FTDv in the lab but then arise another problem as FTDv does not support portchannels so the migration tool will block and not continue.

MHM Cisco World · ‎04-28-2023

I full get your request

Map ftd interface will use asa to zone in ftd' but ANY is not interface in ASA and you want way to map it to ftd zone

Am I correct?

lanab · ‎04-29-2023

I have created source and destination zone as wanted in the migration tool but after the conversion is done the tool only populated the source zone correctly and destination zone as ANY.

MHM Cisco World · ‎04-29-2023

I think you hit migration limits here

Migration Limitations

When migrating your ASA configuration, be aware of the following limitations:

ASA Configuration Only

The migration tool converts only ASA configurations. It does not convert existing ASA FirePOWER configurations. You must manually convert an existing ASA FirePOWER configuration to a Firepower Threat Defense configuration.

ACL and ACE Limits

The migration tool can support an ASA configuration file containing up to 2000000 total access rule elements. If the converted configuration file exceeds this limit, the migration fails.

You must consider the sum of all access rules elements in the ASA configuration file, rather than the element count for a single ACL. To view elements for a single ACL, use the ASA CLI command, show access-list | i elements.

Applied Rules and Objects Only

The migration tool only converts ACLs that are applied to an interface; that is, the ASA configuration file must contain paired access-list and access-group commands.

The migration tool only converts objects if they are associated with either actively-applied ACLs or NAT rules; that is, the ASA configuration file must contain appropriately associated object, access-list, access-group, and nat commands. You cannot migrate network and service objects alone.

Unsupported ACL and NAT Configurations

The migration tool supports most ACL and NAT configurations, with certain exceptions. It handles unsupported ACL and NAT configurations as follows:

Converts but Disables—The migration tool cannot fully convert ACEs that use:

Time range objects
Fully-qualified domain names (FQDN)
Local users or user groups
Security group (SGT) objects
Nested service groups for both source and destination ports

It cannot convert certain elements of these rules because there is no Firepower equivalent functionality for the unsupported elements. In these cases, the tool converts rule elements that have Firepower equivalents (for example, source network), excludes rule elements that do not have Firepower equivalents (for example, time range), and disables the rule in the new access control or prefilter policy it creates.

For each disabled rule, the system also appends (unsupported) to the rule name and adds a comment to the rule indicating why the system disabled the rule during migration. After importing the disabled rules on your Firepower Management Center, you can manually edit or replace the rules for successful deployment in the Firepower System.

MHM Cisco World · ‎04-28-2023

I check the asa to ftd migrate will add zone any for any subnet (source or destination) that is list as any in acl of asa.

lanab · ‎05-01-2023

This is by far the worst product i ever worked with, it's full of bugs.

I had to export the ACP and then manually edit the show-tech file for all interfaces that are portchannels to ordinary ethernet interfaces, then i ran the migration tool it continued fine, but still not working as it should.

Some rules gets a -no lookup after the ACL name which means it sets destination zone to ANY which means i still have to manually change all those ACLs from ANY to the right destination zone i want.

And editing just one ACL takes ages because the slow FMC GUI is not the fastest to work with.

So Cisco does not have any solution to this crap? your answer is to edit several hundreds of ACLs? we don't have that time.

NetworkMonkey101 · ‎08-27-2024

Did you ever resolve this issue I have the same problem? I do not want to have to edit 900 individual policies within FMC to use the correct zone instead of the migrated "any" zone.