Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3134
Views
0
Helpful
15
Replies

Replace CISCO ASA 5500 with 5555

Slippy_Skin
Level 1
Level 1

‎07-07-2020 04:31 AM

Good day All,

 

I have the requirement to replace a currently running ASA 5550 with a new 5555 (actually must do this twice)

I have, using the Quick Start guides, and with help from here, got the new 5555 up and running, with a default config, and the latest FW and patches..

 

It has been suggested that I literally copy and paste the "show running config" from the old FW(and of course use the same cable ports) to the new..

 

Not sure this is a good idea for various reasons:

1. Old config created by a provious Tech, it works but is it the best way of doing things?
2. New FW runs Firepower, so presuably the old config won't work ?

 

Any tips and pointers appreciated.

Cheers,
Slip

0 Helpful
15 Replies 15

Rob Ingram
VIP
VIP

‎07-07-2020 04:38 AM

Hi,


You cannot just copy the old ASA configuration and apply to the FTD. How are you managing the FTD, using FMC (central management), FDM (local management) or CDO (cloud management). You could use the Firepower Migration Tool (FMT) which will import the old ASA configuration. This is supported on FMC and CDO. If you were using FDM to manage the FTD, you'd have to use CDO, which relies on FDM

 

Reference here.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/ASA2FTD_with_FP_Migration_Tool_cdo_chapter_011.html

 

Alternatively you coild re-image the FTD to ASA and then import the configuration, however you do not get the NGFW features that is supported when using FTD.

 

HTH

0 Helpful

Slippy_Skin
Level 1
Level 1
In response to Rob Ingram

‎07-07-2020 05:43 AM - edited ‎07-08-2020 03:55 AM

@Rob Ingram 

 

Thanks for the feedback holy moly acronym hell :-)

 

One for you : https://www.youtube.com/watch?v=CNTM9iM1eVw

 

>You cannot just copy the old ASA configuration and apply to the FTD

FTD ? ahh Google is your friend Firepower Threat Defese.. :-)

 

>How are you managing the FTD

 

Currently with the CISCO ASDM GUI..

The Firewall is not Internet connected (when live), so that I guess that rules out CDO ? It could be temporarily connected ? Migration sounds a good plan if possible because as you have guessed we don't (it seems) have CISCO skills (although eager to learn)..

 

I will look at you link also thanks.

 

Cheers,

Slip

0 Helpful

Rob Ingram
VIP
VIP
In response to Slippy_Skin

‎07-07-2020 06:08 AM

Ah British humor!!

If you are using ASDM GUI with Firepower then you are actually using ASA with Firepower Services, which uses ASA plus Firepower features. I'd neglected to mention that is another option. It isn't going to be around much longer, FTD is the future. If the firewall isn't going to be connected to the internet then you probably don't need the NGFW features, no point managing via CDO.

As you are still using ASA then you could just copy and paste via the CLI the bulk of the configuration, potentially interfaces may be different, but easily amended.

Provide any errors for review
0 Helpful

Slippy_Skin
Level 1
Level 1
In response to Rob Ingram

‎07-08-2020 03:27 AM

Ahh then it looks like copy and paste may be a way..

 

>I'd neglected to mention that is another option. It isn't going to be around much longer, FTD is the future.

 

Ahh I thought we were using FTD.. :-( Any tips on using that ? Is that different from ISA/Firepower modules managed by ASDM ?

I followed https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html

and https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

I looked at the Firepower Management Center but I believe that needs a vm-ware VM..

0 Helpful

Rob Ingram
VIP
VIP
In response to Slippy_Skin

‎07-08-2020 03:40 AM

Management wise the FTD can be manage locally using FDM, centrally using FMC or cloud base using CDO. The FMC can either be VM or physical, if you only have 1 device to manage then usually you would use FDM.

 

You cannot configure FTD using the CLI, all configuration is via the GUI of FDM, FMC or CDO.

 

You should be able to reimage your ASA 5555 to FTD if required.

0 Helpful

Slippy_Skin
Level 1
Level 1
In response to Rob Ingram

‎07-08-2020 04:04 AM

Ahh so my options are?

 

1. Reimage and manage using the FDM (Firepower Device Manager) like this : https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-fdm-5500x-qsg.html ?

 

But if I do I will need a fresh install ? How do I reimage, and I can't copy and paste the current (old) config onto the 5555

 

2. Contiune as is with ASA and the Firepower modules and copy/paste - but you say this is to be discontinued ?

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Slippy_Skin

‎07-08-2020 04:12 AM

Yes, fresh install, checkout the re-image guide

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html

 

You would need to manual re-configure the FTD using the FDM GUI, or use CDO as a migration tool. It depends on how big your configuration is, it might not take that long to manually configure a new device.

 

Check out this basic FDM configuration guide.

 

Yes, you could carry on with ASA with F/S, but that is no longer being developed....no idea when it will be EOL. FTD is the future, so might as well spend your time migrating.

 

0 Helpful

Slippy_Skin
Level 1
Level 1
In response to Rob Ingram

‎07-08-2020 04:27 AM

OK thanks I will ask the team. Thankyou for all your help. May I keep this thread "open" in case we get stuck ?
0 Helpful

Slippy_Skin
Level 1
Level 1
In response to Rob Ingram

‎07-10-2020 03:44 AM

@Rob Ingram
Morning, OK the decision is to go with FDM..

A quick question if I may, do I have to reimage the FW ? as it is allready running Firepower (as licenced etc through the Quick Start guides and I can see all the Firepower tabs in ASDM..

Cheers,
Slip
0 Helpful

Rob Ingram
VIP
VIP
In response to Slippy_Skin

‎07-10-2020 03:51 AM

Yes, you will need to re-image the device from ASA to FTD, it's pretty straight forward.

Refer to the correct section in the following guide:-

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#id_51368

0 Helpful

Slippy_Skin
Level 1
Level 1
In response to Rob Ingram

‎07-10-2020 04:43 AM

Rob,

Is that because when I ran the original install through it put the FW in ASA only mode or the like ?
I followed this : https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html
0 Helpful

Rob Ingram
VIP
VIP
In response to Slippy_Skin

‎07-10-2020 05:12 AM

It's older hardware it probably came installed with ASA software. Newer hardware you can select when ordering if you want ASA or FTD software installed as default.

0 Helpful

Slippy_Skin
Level 1
Level 1
In response to Rob Ingram

‎07-10-2020 05:21 AM

The 5555-x is older hardware ?
The packing list states SF-ASA-FP6.2.2-K9 CISCO Firepower Software V6.2.2 for ASA 5500-X and ASA5555 Control Licence.
Just wondering really, if the wrong thing was ordered fair dues I will attempt the re-image..
0 Helpful

Rob Ingram
VIP
VIP
In response to Slippy_Skin

‎07-10-2020 05:34 AM

Yes, the 5555-x was released in 2012 and will be End of Sale in Sept 2020.
Newer Firepower 1000, 2100, 4100 and 9300 hardware have been available for a while now.
It's end users' preference what image you buy with pre-installed and what image you wish to run.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card