cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2512
Views
0
Helpful
9
Replies

How do I migrate from a 5506x to Firepower1010?

matt.leo.SGS
Level 1
Level 1

I'm at a loss here. Apparently they don't want me to post my issue as it keeps kicking me back saying I'm posting private/personally identifying information that I'm not....Simply put FMC isn't accepting the devices so can't use it to migrate. Do I need to simply put "set" in front of every line from the 5506's exported config file to bring it into the new Firepower 1010?

 

Thanks for any insight you can provide.

1 Accepted Solution

Accepted Solutions

matt.leo.SGS
Level 1
Level 1

So finally found an article that said you could load the ASA software onto the 1010. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1010/firepower-1010-gsg/asa.html Once I downloaded and installed via USB it's now running the ASA software and I was able to get most of the config moved over and created the ones that did not copy over because of SSL's or other security info. Now I just need to get the rest of my licenses applied to the new device and I'm all set.

Hope this helps anyone else that needs it.

View solution in original post

9 Replies 9

@matt.leo.SGS use the Firepower Migration Tool (FMT) to migrate the ASA configuration and import to the FMC, you can then deploy on your new FPR1010 device.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide/ASA2FTD-with-FP-Migration-Tool.html

 

After pointing it to the FMC it states no FTD's detected. What's next?

@matt.leo.SGS Well you have 2 options

 

You can use one of the following methods to obtain an ASA configuration file:

If you have a problem connecting to the FMC, export the ASA configuration and import.

So how do I import the ASA config file into the 1010? I've already exported it as stated in initial post. Image is all I see in the 1010. I'm new to the Firepower devices.

Do the initial setup (bootstrap) on your Firepower 1010 and register it to your FMC. Once that is completed then run your FMT and it will allow you to target the 1010 as the destination device.

We generally don't configure devices running FTD from the cli. Only a very few configuration commands (beyond the bootstrapping setup where we configure the management interface, gateway, ntp, dns etc.) are supported in the FTD cli. Everything else is done from FMC (in the case of FMC-managed option) or via the local GUI (Firepower Device Manager or FDM). FDM can work along with the cloud management option CDO. However once you choose FMC management, FDM (and CDO) are no longer allowed.

You export the ASA configuration and import to the FMT. The FMT connects to the FMC and pushes the configuration. The 1010 only receives the configuration via the FMC, you cannot directly import to the 1010 if the FMC is managing it. I suggest you read the guide for further information.

But the FMC is not managing it. It's not connected to either device. I only setup the FMC VM as it appeared to be what was required to run the FMT. If another migration method exists I'm all for it since the FMC doesn't appear to be communicating with the devices.

If you aren't managing your device with FMC then you cannot use the FMT to migrate the configuration.

There are three methods to migrate Adaptive Security Appliance (ASA) configurations to Firepower Threat Defense (FTD) devices:

  • CDO solution—If you intend to migrate your ASA configurations to FTD devices and manage them with Cisco Defense Orchestrator (CDO) and Firepower Device Manager (FDM), use the cloud-based process in CDO to migrate your ASA configurations.

  • On-Premise solution (FMC)—If you intend to migrate your ASA configurations to FTD devices and manage them with Firepower Management Center (FMC), use the desktop application method to migrate your ASA configurations.

    To download the latest version of the Firepower Migration Tool, browse to https://software.cisco.com/download/home/286306503/type and click Firepower Migration Tool.

    You can also download the Migration Tool from the Firepower Threat Defense device download page.

  • On-Premise solution (FDM)—If you intend to migrate your ASA configurations to FTD devices and manage them with Firepower Device Manager (FDM), use the cloud-based process in CDO to migrate your ASA configurations. You can then use FDM to manage your configuration.

Either FMC or CDO methods require licenses for those respective products. A CDO license for a single Firepower 1010 is quite inexpensive.

matt.leo.SGS
Level 1
Level 1

So finally found an article that said you could load the ASA software onto the 1010. https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1010/firepower-1010-gsg/asa.html Once I downloaded and installed via USB it's now running the ASA software and I was able to get most of the config moved over and created the ones that did not copy over because of SSL's or other security info. Now I just need to get the rest of my licenses applied to the new device and I'm all set.

Hope this helps anyone else that needs it.

Review Cisco Networking for a $25 gift card