Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1573
Views
0
Helpful
6
Replies

Migration from ASA firewall to Cisco Firepower 2110

abdullah ba abdullah
Level 1
Level 1

‎01-05-2018 10:35 AM - edited ‎02-21-2020 07:04 AM

Dear all:

 

I have the new project that we already I have Cisco ASA 5550 firewall now we got 2 Cisco Firepower 2110 

2 devices as active-active. now I need to move or migrate the configuration to Cisco Firepower from ASA.

right now I have on my network 2 ASA ( 1 for a proxy for my local network and other ASA firewall for VPN )

I want to move all these configurations to  new 2 Cisco firepower 2110

can you tell how to do the migration steps?

thanks

Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-06-2018 05:21 AM

Please see the following guide which describes the process in detail:

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/621/asa2ftd-migration/asa2ftd-migration-guide-621.html

0 Helpful

Andy Infante
Level 1
Level 1
In response to Marvin Rhoads

‎06-22-2018 08:15 AM

Marvin,

 

Have you actually performed a migration from ASA to Firepower?

 

I'm in the process of taking a checkpoint configuration, converting to ASA, then converting to Firepower.  The original ruleset was about 700 rules, ASA conversion brought that to over 7600 access-list commands, but when I import the ASA config into sourcefire for conversion, I get over 9900 rules in the FMC.  That just seems not only ridiculous but it has to be wrong/bug??

 

Any ideas?  I'm going to be opening a ticket with the TAC, but just wanted to see the community's thoughts...

 

Andy

0 Helpful

workforcesoftware
Level 1
Level 1
In response to Andy Infante

‎06-25-2018 11:53 AM

It's been my experience that the migration tool isn't ready for prime time. I found it much easier to just create new policies and apply them to the new device. We moved from ASA5555's to Firepower 2110's and tried the migration, but were met with the same result, plus the policy wouldn't allow us to edit the rules properly. With the need to add in malware, IPS, and logging settings to each ACE, it's just easier to make a new one, especially if you'll have to touch each entry anyway.
0 Helpful

Andy Infante
Level 1
Level 1
In response to workforcesoftware

‎06-25-2018 05:06 PM

Unfortunately there's hundreds of objects too and a hundred Nat rules so it might be worth it to me to get that part of the config imported even if I have to edit or delete 10000 rules.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Andy Infante

‎06-25-2018 09:19 PM

I've not done any production migrations myself.

 

If you can wait a couple of weeks, the new migration tool should be out. It should do a MUCH better job at the things it covers. (It uses the REST API exclusively and includes objects, ACLs NAT rules etc.)

0 Helpful

Andy Infante
Level 1
Level 1
In response to Marvin Rhoads

‎06-26-2018 06:17 AM

Can't wait. In process of migration for a client and cutover is scheduled in 3 weeks.


0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card