cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1574
Views
0
Helpful
6
Replies

Migration from ASA firewall to Cisco Firepower 2110

Dear all:

 

I have the new project that we already I have Cisco ASA 5550 firewall now we got 2 Cisco Firepower 2110 

2 devices as active-active. now I need to move or migrate the configuration to Cisco Firepower from ASA.

right now I have on my network 2 ASA ( 1 for a proxy for my local network and other ASA firewall for VPN )

I want to move all these configurations to  new 2 Cisco firepower 2110

can you tell how to do the migration steps?

thanks

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Please see the following guide which describes the process in detail:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/621/asa2ftd-migration/asa2ftd-migration-guide-621.html

Marvin,

 

Have you actually performed a migration from ASA to Firepower?

 

I'm in the process of taking a checkpoint configuration, converting to ASA, then converting to Firepower.  The original ruleset was about 700 rules, ASA conversion brought that to over 7600 access-list commands, but when I import the ASA config into sourcefire for conversion, I get over 9900 rules in the FMC.  That just seems not only ridiculous but it has to be wrong/bug??

 

Any ideas?  I'm going to be opening a ticket with the TAC, but just wanted to see the community's thoughts...

 

Andy

It's been my experience that the migration tool isn't ready for prime time. I found it much easier to just create new policies and apply them to the new device. We moved from ASA5555's to Firepower 2110's and tried the migration, but were met with the same result, plus the policy wouldn't allow us to edit the rules properly. With the need to add in malware, IPS, and logging settings to each ACE, it's just easier to make a new one, especially if you'll have to touch each entry anyway.

Unfortunately there's hundreds of objects too and a hundred Nat rules so it might be worth it to me to get that part of the config imported even if I have to edit or delete 10000 rules.

I've not done any production migrations myself.

 

If you can wait a couple of weeks, the new migration tool should be out. It should do a MUCH better job at the things it covers. (It uses the REST API exclusively and includes objects, ACLs NAT rules etc.)

Can't wait. In process of migration for a client and cutover is scheduled in 3 weeks.


Review Cisco Networking for a $25 gift card