cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
322
Views
10
Helpful
3
Replies
Highlighted
Beginner

ike policy mismach migration ASA to FTD

Hi, 

I am migrating a context which have many site to site vpn tunnels ( preshared key ) from ASA to FTD. I cannot find the same options in FTD to match the config. 

 

1- Encryption algorithms > Ikev1 and v2 policy. In ASA there are many policies selected but in FTD i can only select one.

2- How can i match the config in ACL manager on ASA to FTD ?

3- IPsec Enabling > group policy ? The options do not match in ASA ans FTD

4- There is a command in ASA running config "sysopt permit-vpn". So should i check "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" on FTD for every tunnel ?

5- crypto maps in FTD ?

3 REPLIES 3
Highlighted
VIP Advisor

Hi,
How are you managing the FTD? FDM (local), FMC (central) or CDO (cloud managed).

All of what you mention are possible, follow the SIte-to-Site VPN wizard will allow you to add or create IKEv1/IKEv2 and IPSec policies to select the algorithms to use.

When configuring the VPN you select the "Protected Networks" which relates to the ASA's ACL used to define the interesting traffic to be encrypted.

The Group Policies attributes are similar between ASA and FTD, the GUI is not.

Instead of bypassing traffic, just define rules in the Access Control Policy to permit/deny traffic.

The FTD currently only supports Crypto Maps, so when you run the wizard to configure a VPN, that is the type of VPN that is configured.

HTH
Highlighted

-I am using FMC. IKEv1/IKEv2 policies i have option to choose only one profile but in ASA there are multiple. I read that this would not be an issue as the two sides negotiate policy one by one and select whatever matches in the list.
-How to assign the group policy to a tunnel ?
- i have around 50 tunnels that are configured on ASA. Their configuration is just under Tunnel Groups. How to migrate those ?
Highlighted

Hi,

Regarding having more than one policy, this is known limitation in fmc. If
you need more policies, cisco approach is to configure them using
flexconfig.

I am not sure about a tool to migrate the 50 tunnels. You might need to do
them manually or script them through api.

**** please remember to rate useful posts