Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2306
Views
30
Helpful
6
Replies

Migrating ASA to FTD

dvalinho
Level 1
Level 1

‎02-15-2019 12:41 AM - edited ‎02-21-2020 08:49 AM

Hello Cisco

My ASA is in Active/Standby and my Ftd boxes have to be in HA as well:
 
1)Is an FMC or FMCv mandatory to perform HA on FTD?
 
 
2)Do i need to configure HA on my FTD boxes before migrating the ASA Configuration? If not, Can the migrated file be uploaded on just one box then we configure HA for config sync?
 
3)Can i migrate the ASA configuration with the Migration Tool then export it from the Firepower Device Manager for each box?
 
4) Finally do i need any specific license?
 
Thanks for your return.
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-16-2019 07:41 PM

1. As of release 6.3 you can now do High Availability with either FMC or the local firepower Device Manager (FDM).

 

2. You can configure either way - start with migrating to standalone and then make it HA or migrate direct to HA.

 

3. If you use the migration tool (vs. manual migration) then you have to use FMC.

 

4. No. Note that when in HA, each FTD device requires the relevant feature licenses such as Base, URL Filtering or Malware.

dvalinho
Level 1
Level 1
In response to Marvin Rhoads

‎02-22-2019 01:23 AM

Thanks Marvin for your return, it is helpful.

Let's say i go for the manual migration from ASA-X to FTD 4100. Do i need to collect VPN Pre-shared keys or other keys or can I just copy and paste from the old config file?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dvalinho

‎02-22-2019 02:25 AM - edited ‎02-22-2019 02:25 AM

For VPN pre-shared keys you need to have them in plain text. You can retrieve them from the ASA if you get the running-config using the command:

more system:running-config

If your ASA is using a CA-signed certificate that will have to be rehosted on the new appliances. Unless you have the original  private key used (e.g. if you used OpenSSL to create the original CSR) or made it exportable when you first created it, you will have to regenerate a CSR and get the CA to issue the certificate.

dvalinho
Level 1
Level 1
In response to Marvin Rhoads

‎02-25-2019 07:45 AM

Thank you so much.

One last question, can the FMCv can do the same job the FMC do(in regard to the migration tool)??

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to dvalinho

‎02-25-2019 08:11 AM

FMCv vs. FMC physical appliance are equivalent with respect to migration tool functionality.

 

The physical appliances can themselves be configured as HA and have increased scalability (for managing more sensors and ingesting and storing more events). Other than that, they are functionally equivalent.

dvalinho
Level 1
Level 1
In response to Marvin Rhoads

‎02-25-2019 10:21 PM

Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card