Re: Migrate from ASASM to FMC/FTD

ben.levin1 · ‎11-23-2022

I am working on migrating from an ASASM to FMC/FTD. I know that the ASASM isn't fully supported by the firepower migration tool, but the policy and objects are pretty long so we are doing what we can with it and the TAC said that it would not migrate interfaces and static routes. However, I have tested the migration several times and the policy does come over but the post migration report show that not all of the objects and policy were migrated over (lines from the config were ignored). I did manually create the interfaces on the FTD before doing the migration.

I'll probably end up opening a new TAC case but I figured I'd ask here first. Has anyone done this kind of migration and is there a way to get all of the ACLs and objects successfully migrated over without having to do it all manually? At the moment I'm thinking we'll run the migration tool and then have to go through the post migration report to manually add all the configuration that was ignored. It's going to be very time consuming so I'm hoping to find some ways to speed things up. Thank you.

balaji.bandi · ‎11-23-2022

Sometime Migration toolk no 100% does what you expected due to some odd config issue around to be honest.

since you have TAC case, they are the better SME for your case and they review your config, since we do not have your config visibility what worked and what failed here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ben.levin1 · ‎11-23-2022

Thank you for your response. We had a TAC case over the summer but it was closed since the project was delayed. I will open a new TAC case to see if they can help us.

Milos_Jovanovic · ‎11-23-2022

Hi @ben.levin1,

If you have or can get standard ASA (like ASAv or any of the 5500-X models, with newer SW like 9.8+), you could try to manually copy over ASASM config to ASAv. While copying config, if you spot any issues, you can fix them right then and there. Once that is done, you can try again with FMT, and see what are the results.

Kind regards,

Milos

Marvin Rhoads · ‎11-23-2022

What version is your ASASM running? If it's 8.4+ then the suggestion by @Milos_Jovanovic is how I'd suggest proceeding. That method should get you a clean migration using FMT.

balaji.bandi · ‎11-24-2022

we have tried FWSM to ASAv and then FTD, the results are not as expected. i am sure you need to do manual task many many lines.

if the config is simple and I would take the opportunity to clean up many rules and not the required information (which we don't remove and rules not hit also gone increasing organically).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Milos_Jovanovic · ‎11-24-2022

If I remember correctly, FWSM is using pre ASA v8.3 syntax, so it falls down to migration of pre 8.3 to post 8.3, which is complication of its own, and I fully agree - existing automated tools are not providing best results in such case.

What I was suggesting is same as @Marvin Rhoads explained better, with more details - if ASASM is post 8.3 syntax, then manual input of config, without too much config to ASAv (which is always post 8.3) can be used.

Kind regards,

Milos

Marvin Rhoads · ‎11-24-2022

If I recall correctly ASASM (not FWSM) was an 8.6+ device.

Since the VLAN groups don't have any real analogue in ASA (or FTD) then doing as @Milos_Jovanovic suggests would be the best bet. That should get the ACLs and NAT rules transferred with associated objects. That comprises the bulk of the configuration by number of lines. Routing and interface configurations would need to be done manually.