Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1108
Views
0
Helpful
1
Replies

Partial Conversion of ASA to Firepower

baskervi
Level 1
Level 1

‎10-01-2020 06:44 AM

I just started with an organization that did an ASA to Firepower conversion and then significantly modified and updated the Firepower configuration. The Firepower is not yet in production. Looking at the history of the ASA (a 5520), I think ages ago when it was converted from 8.2(5) to 8.4(x), the autoconversion process threw in many, many uneeded NAT rules. There are 1,436 NAT statements, and less than 120 are needed. Consequently, all 1,436 rules are in the Firepower, along with another 100 or so lines of configuration. 

 

The bulk of the reconfiguration on the Firepower has been with reorganizing the ACLs, e.g. reorganizing some, removing a few more, and sorting by interface. 

 

What I'd like to do is the following:

 

1) Clean up the ASA. I have identified all changes and have a text file with all information.

2) Strip out information from the ASA configuration for the portions I want to keep on the Firepower (specifically the ACLs).

3) Do some magic (this is where I need help) that will remove thousands of extraneous entries from the Firepower, convert the desires portions of the ASA configuration into what the Firepower can ingest, and merge things together.

 

I thought about saving the Firepower configuration, converting the ASA configuration, copying the converted ASA configuration into the appropriate Firepower section, re-uploading the resulting configuration into Firepower, and be off on my way. Will this work? Is there a better way? Will this not work? Unfortunately, I don't have another Firepower to test this on, and I live about 3 hours from where the Firepower is currently located. Thanks for any advice.

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-02-2020 10:23 AM

This kind of scenario is a real challenge with FMC. I brought with up with the team who manages the Firepower Migration Tool and they admitted it is a shortcoming of the tool as it exists. Once you get all of those unneeded objects into FMC it's hard to get them out. (When you use CDO it's much easier.)

I'd run a fresh migration from scratch using the cleaned up ASA config. It won't help with the unused objects in FMC but at least the target FTD device should be clean as far as its running-config.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card