cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3130
Views
0
Helpful
15
Replies

Replace CISCO ASA 5500 with 5555

Slippy_Skin
Level 1
Level 1

Good day All,

 

I have the requirement to replace a currently running ASA 5550 with a new 5555 (actually must do this twice)

I have, using the Quick Start guides, and with help from here, got the new 5555 up and running, with a default config, and the latest FW and patches..

 

It has been suggested that I literally copy and paste the "show running config" from the old FW(and of course use the same cable ports) to the new..

 

Not sure this is a good idea for various reasons:

1. Old config created by a provious Tech, it works but is it the best way of doing things?
2. New FW runs Firepower, so presuably the old config won't work ?

 

Any tips and pointers appreciated.

Cheers,
Slip

15 Replies 15

Hi,


You cannot just copy the old ASA configuration and apply to the FTD. How are you managing the FTD, using FMC (central management), FDM (local management) or CDO (cloud management). You could use the Firepower Migration Tool (FMT) which will import the old ASA configuration. This is supported on FMC and CDO. If you were using FDM to manage the FTD, you'd have to use CDO, which relies on FDM

 

Reference here.

https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CDO/ASA2FTD_Using_CDO/ASA2FTD_with_FP_Migration_Tool_cdo_chapter_011.html

 

Alternatively you coild re-image the FTD to ASA and then import the configuration, however you do not get the NGFW features that is supported when using FTD.

 

HTH

@Rob Ingram 

 

Thanks for the feedback holy moly acronym hell :-)

 

One for you : https://www.youtube.com/watch?v=CNTM9iM1eVw

 

>You cannot just copy the old ASA configuration and apply to the FTD

FTD ? ahh Google is your friend Firepower Threat Defese.. :-)

 

>How are you managing the FTD

 

Currently with the CISCO ASDM GUI..

The Firewall is not Internet connected (when live), so that I guess that rules out CDO ? It could be temporarily connected ? Migration sounds a good plan if possible because as you have guessed we don't (it seems) have CISCO skills (although eager to learn)..

 

I will look at you link also thanks.

 

Cheers,

Slip

If you are going to succeed with your customers, you have to be absolutely sure that your communication is crystal clear. Are you really on the same wave length as your customer or is that a dangerous and frustrating assumption?

Ah British humor!!

If you are using ASDM GUI with Firepower then you are actually using ASA with Firepower Services, which uses ASA plus Firepower features. I'd neglected to mention that is another option. It isn't going to be around much longer, FTD is the future. If the firewall isn't going to be connected to the internet then you probably don't need the NGFW features, no point managing via CDO.

As you are still using ASA then you could just copy and paste via the CLI the bulk of the configuration, potentially interfaces may be different, but easily amended.

Provide any errors for review

Ahh then it looks like copy and paste may be a way..

 

>I'd neglected to mention that is another option. It isn't going to be around much longer, FTD is the future.

 

Ahh I thought we were using FTD.. :-( Any tips on using that ? Is that different from ISA/Firepower modules managed by ASDM ?

I followed https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html

and https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/sfr/firepower-qsg.html

I looked at the Firepower Management Center but I believe that needs a vm-ware VM..

Management wise the FTD can be manage locally using FDM, centrally using FMC or cloud base using CDO. The FMC can either be VM or physical, if you only have 1 device to manage then usually you would use FDM.

 

You cannot configure FTD using the CLI, all configuration is via the GUI of FDM, FMC or CDO.

 

You should be able to reimage your ASA 5555 to FTD if required.

Ahh so my options are?

 

1. Reimage and manage using the FDM (Firepower Device Manager) like this : https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/5500X/ftd-fdm-5500x-qsg.html ?

 

But if I do I will need a fresh install ? How do I reimage, and I can't copy and paste the current (old) config onto the 5555

 

2. Contiune as is with ASA and the Firepower modules and copy/paste - but you say this is to be discontinued ?

 

Yes, fresh install, checkout the re-image guide

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html

 

You would need to manual re-configure the FTD using the FDM GUI, or use CDO as a migration tool. It depends on how big your configuration is, it might not take that long to manually configure a new device.

 

Check out this basic FDM configuration guide.

 

Yes, you could carry on with ASA with F/S, but that is no longer being developed....no idea when it will be EOL. FTD is the future, so might as well spend your time migrating.

 

OK thanks I will ask the team. Thankyou for all your help. May I keep this thread "open" in case we get stuck ?

@Rob Ingram
Morning, OK the decision is to go with FDM..

A quick question if I may, do I have to reimage the FW ? as it is allready running Firepower (as licenced etc through the Quick Start guides and I can see all the Firepower tabs in ASDM..

Cheers,
Slip

Yes, you will need to re-image the device from ASA to FTD, it's pretty straight forward.

Refer to the correct section in the following guide:-

https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html#id_51368

Rob,

Is that because when I ran the original install through it put the FW in ASA only mode or the like ?
I followed this : https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html

It's older hardware it probably came installed with ASA software. Newer hardware you can select when ordering if you want ASA or FTD software installed as default.

The 5555-x is older hardware ?
The packing list states SF-ASA-FP6.2.2-K9 CISCO Firepower Software V6.2.2 for ASA 5500-X and ASA5555 Control Licence.
Just wondering really, if the wrong thing was ordered fair dues I will attempt the re-image..

Yes, the 5555-x was released in 2012 and will be End of Sale in Sept 2020.
Newer Firepower 1000, 2100, 4100 and 9300 hardware have been available for a while now.
It's end users' preference what image you buy with pre-installed and what image you wish to run.
Review Cisco Networking for a $25 gift card