Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
715
Views
0
Helpful
6
Replies

Migrating from ASA to FTD- Assistance Needed

rrobinson2191
Level 1
Level 1

‎05-17-2024 01:46 PM

Good Afternoon,

I have an ASA 5525-X on 9.12.x.  We have been working with TAC to try and migrate our ASA config to a Firepower 2120 running FTD code.  We also have CDO.  We are hoping to use CDO's ASA to FTD conversion tool, but so far as been wildly unsuccessful.  We have had several cases open  with TAC, and they cant seem to figure out what is wrong either.

The latest attempt ended up with only the Inside-->Outside Rules coming over, and all of our network objects.  The rules that came over were not in the order they exist inside the ASA.

I reimaged the Firepower device to remove all traces of the botched config and re-enrolled in CDO.  I am getting the follow error messsage on the import:

rrobinson2191_0-1715978245010.png

Before this, I had these three lines error out on the conversion:

rrobinson2191_1-1715978325459.png

When we removed these lines, and imported, only a portion on the ACLs actually come over.

Just as a side note:  I have tried using the firewall migration tool inside CDO as well.  That tool only copied a fraction of the network objects, but did get all our rules, but because it couldnt "connect" to the FTD, it just ran and finished (successfully) but didnt generate a file to update from what I can tell...

 

If anyone has any experience moving from ASA to FTD, could you lend me some wisdom on what we need to do to make this jump?

 

Thanks

0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-20-2024 09:15 AM

I migrated a few in a lab setting and it worked fine. I would not expect the control-plane ACL to migrate since that is only supported via flexconfig.

Did your source ASA have a Firepower service module and are you trying to migrate its settings as well? If so, did you try migrating without including that?

0 Helpful

rrobinson2191
Level 1
Level 1
In response to Marvin Rhoads

‎05-20-2024 09:17 AM

Good Morning! Thanks for reply. The ASA does have a FIrepower Module. We are not trying to move that instance.

I have a meeting with Cisco at 2 to try again...

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to rrobinson2191

‎05-20-2024 10:24 AM

OK, thanks for that info. Please keep us updated on what they find.

0 Helpful

Jon Are Endrerud
Level 3
Level 3

‎05-23-2024 06:58 AM

I have converted several confgurations from ASA to FTD and found it best to do it from scratch, how big is your config ? Whith automatic convertion you will end up with alot of thing that you will need to fix anyway.

Please rate as helpful, if that would be the case. Thanx
0 Helpful

AHack210
Cisco Employee
Cisco Employee

‎05-23-2024 10:43 AM

Hi, so the tool in CDO is the same FMT tool available via cisco downloads, but just a containerized version with more frequent fixes and patches, (advantage of a SaaS platform!). I will pass this thread along.

0 Helpful

AHack210
Cisco Employee
Cisco Employee
In response to AHack210

‎05-23-2024 10:44 AM

FYI a new FMT version rolled out in CDO this morning.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card