cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4137
Views
5
Helpful
12
Replies

FWSM v4.1 to ASA v9.6.1 on Firepower 4100

theomarinescu
Level 1
Level 1

Hello,

As you can see in the title, I have to migrate a (huge) configuration from FWSM OS v4.1 to ASA OS v9.6.1 on Firepower 4100.

I found the FWSM to ASA-SM migration tool - which translates the configuration to ASA-SM OS v8.5 - here:

http://www.cisco.com/c/en/us/td/docs/security/asa/migration/fwsm/fwsm2asasm.html

I also know the officially recommended upgrade path from here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/release/notes/asarn96.html#ID-2152-0000000a

There are two problems:

1. I can't boot in place with one of the new ASA images, because I am migrating *both hardware & software version* at the same time.

2. I can't figure out  where the resulting ASA-SM v8.5 configuration from the first link would fit in the table from the second one.

Supposing I can find and will use an old ASA 5550, I still can't figure out with which software version I would have to start the migration with.

Version 8.5 seems to be an odd one, I can't find it here:

https://software.cisco.com/portal/pub/download/portal/select.html?&mdfid=280563817&flowid=4376&softwareid=280775065

Has anyone successfully done this, and if yes, how did you go about it ?

Thank you !

--

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Are you a partner? If so, there is an available tool that support FWSM configuration file conversion to ASA 55xx.

https://fwm.cisco.com

While it doesn't specifically support FirePOWER 4100 as the target, you would choose say a 5555-X only need to modify interfaces to accommodate that platform. The target ASA software is only 9.2(1) but that would not make a difference for your purposes. Of course you assign interfaces on a FirePOWER 4100 via the FX-OS Chassis Manager so that would be a manual process.

I have used the FWM tool successfully on several larger migrations to 5585-X. I also run the configuration through some cleanup first and double check the NAT conversions using the tools available at tunnelsup.com

View solution in original post

12 Replies 12

Marvin Rhoads
Hall of Fame
Hall of Fame

Are you a partner? If so, there is an available tool that support FWSM configuration file conversion to ASA 55xx.

https://fwm.cisco.com

While it doesn't specifically support FirePOWER 4100 as the target, you would choose say a 5555-X only need to modify interfaces to accommodate that platform. The target ASA software is only 9.2(1) but that would not make a difference for your purposes. Of course you assign interfaces on a FirePOWER 4100 via the FX-OS Chassis Manager so that would be a manual process.

I have used the FWM tool successfully on several larger migrations to 5585-X. I also run the configuration through some cleanup first and double check the NAT conversions using the tools available at tunnelsup.com

Hello Marvin,

The tool you pointed out worked very well and brought me to v9.2(1).

I was trying to do it myself in Perl - had trouble with a lot of corner cases, and the scripts kept growing.

Indeed, the interfaces assignation (and bundling into port-channels) are done from the chassis.

Fixing the subinterface names & cleanup was trivial.

I will also look up the tools at tunnelsup.

Thank you very much for your help !!!

Thank you Marvin.

Hello Marvin

Migration from FWSM  to  Firepower 9300 FTD 6.1.

I have a very big configuration file any advice or thoughts. 

thanks

Yes, that can be done also. I'd recommend the following:

1. Work with your Cisco SE or a partner (if you aren't already one) to run things through FWM tool. Scrub things with tunnelsup and an experienced eye to review it all.

2. There is another brand new partner / internal tool for migration from ASA to FTD.

If it's part of a large deal you may even be able to convince Cisco to give you a loaner 5585-X to vet the ASA migration prior to moving it onto FTD.

Hello Marvin,

I have FWSM module on 6500 switch. I need to upgrade FWSM to firepower 4140. please I need your recommendation on this .

 

much appreciated.

 

thanks,

 

Haitham Jneid

 

 

Hello,

 

We are planning to migrate from

 

=======================================================================

Cisco Adaptive Security Appliance Software Version 9.1(5)1

Device Manager Version 7.4(2)

 

Compiled on Fri 04-Apr-14 16:15 PDT by builders

System image file is "disk0:/asa915-1-smp-k8.bin"

Config file at boot was "startup-config"

 

hqasasmfw01 up 51 days 15 hours

failover cluster up 51 days 15 hours

 

Hardware:   WS-SVC-ASA-SM1, 24576 MB RAM, CPU Xeon 5600 series 2000 MHz, 2 CPUs (24 cores)

Internal ATA Compact Flash, 8192MB

BIOS Flash M25P32 @ 0x0, 64KB

====================================================================================

Model

Cisco Firepower Management Center 3500 (66)

 

Model Cisco Firepower Management Center 3500 (66)

To Firepower 6.0.1.1-1023

 

Can you provide some guidance on what is the best way to approach this.

 

Thank you,

 

Geoffrey Zakayo

Sr. Cloud & Data Center Engineer

Kelly Services

Cell: 425.753.4379 | Email: GEOZ905@kellyservices.com

 

hi marvin,

i used this tool before few years ago on a 5510 8.2 > 5525-X 9.x but it only had a handful NAT and ACL to be converted, so it's still manageable.

 

i have an ASA 5520 8.2 config to convert a 9.1 (for a 5555-X) using the FWM tool but this time it has a lot of NAT/ACL config which manual conversion isn't going to be practical (using the tunnelsup.com tool). and given only a few days to get this done (closing projects before 2018 ends).

 

my question is, how accurate is the FWM tool given with a lot of 8.2 NAT/ACL to convert? is it 100%

did you run into a problem where a NAT or ACL was converted wrongly (or missed)?

I've not had any issue with the FWM tool's migration accuracy. That said, I've only done about 5-6 migrations using it so I have a limited sample size. I've not done any huge (e.g., 10,000+ line configuration files) with it. My customers tend to have smaller configurations.

thanks marvin!

i would say the 8.2 ACL/NAT config would not exceed 100+ lines. so i'm quite hesitant using this tool.

but there's also time constraint, so i'm forced to use this tool.

Good afternoon,

Does anybody still have a copy of the FWM Tool that they could share with me. 

thanks in advance

Ian

 

 

 

FWM was referring to a Cisco portal for staff and partners to use. It was at fwm.cisco.com. However it has long since been deprecated in favor of the Secure Firewall Migration tool. It no longer supports the old ASA Security modules (ASASM). Supported source ASA platforms can be found here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool/m-getting-started-with-the-secure-firewall-migration-tool.html#id_70647

The tool is freely downloadable from Cisco.

Review Cisco Networking for a $25 gift card