03-28-2024 05:14 AM
Hello,
I have a question about migrating a IPSec tunnel from between a Cisco C981F-k9 and a Cisco ASA firewall to a tunnel from the same Cisco C981F-k9 router to a Fortigate firewall. What is the 'best' way to migrate this tunnel?
Currently I have configured the tunnel with IKEv1, the configuration is shown below:
crypto isakmp policy 2
encr aes
authentication pre-share
group 14
lifetime 28800
crypto isakmp key xxxx address x.x.x.x
crypto ipsec transform-set ESP_3DES_SHA esp-aes 256 esp-sha-hmac
mode tunnel
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP_3DES_SHA
match address 100
interface Dialer1
crypto map SDM_CMAP_1
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.61.0 0.0.0.255
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.47.0 0.0.0.255
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 permit ip 192.168.58.0 0.0.0.255 192.168.49.0 0.0.0.255
The subnets that are allowed in the access-list are located behind the Cisco ASA firewall, but eventually be located behind the Fortigate, because the Cisco ASA firewall will be replaced with a Fortigate firewall.
What is the best way to convert the tunnel from the Cisco ASA to the Fortigate. Is this by configuring a second tunnel to the Fortigate and then removing the cryptomap on the Dialer1 interface that is creating the tunnel to the ASA and then adding the new cryptomap that is creating the tunnel to the Fortigate? Or is there a better way to approach the migration?
Kind regards,
MBestt
Solved! Go to Solution.
03-29-2024 01:11 AM
I want to know the best way to remove the tunnel to the ASA and configure the tunnel to the Fortigate.
If you like to use SAME IP address and other stuff, there is no other way for you here, you need to configure Offline Fortinet and remove ASA (in maintenance window) introduce Fortinet and do testing. (if any issue collect all the Logs and fix and move forward - if this is critical after collecting the logs and troubleshooting still not working - ASA still available in the place to role back)
But what is the 'best' whey to transform the current tunnel in the Cisco router is my question.
i explained what we do in best way worked for me. (I am also thinking you can build 2 Tunnels one for ASA and Fortinet, but Local subnets are same that is limitation) - but if that option available for you - been Long time touched 891 router and can support.
And I think that the Forticonverter isn't a good tool that helps with migrating VPN tunnels from ASA to Fortigate.
sure understood - every Migration tool can not give 100% like a like swift - there we need to do some manual intervention to fix.
Have not come across any cross vendor tool including cisco 100% lift and shift the config with out any adjustment (my experience).
Hope that help you.
03-28-2024 07:48 AM
that should be simple config, you can manullay config on Fortinet for only tunnel.
if you looking asa to fortinet - i used for one of migration below tool good :
03-28-2024 08:51 AM
That is not exactly where I am looking for. I want to know the best way to remove the tunnel to the ASA and configure the tunnel to the Fortigate. On how to setup the tunnel on the Fortigate is clear to me. But what is the 'best' whey to transform the current tunnel in the Cisco router is my question.
And I think that the Forticonverter isn't a good tool that helps with migrating VPN tunnels from ASA to Fortigate.
03-29-2024 01:11 AM
I want to know the best way to remove the tunnel to the ASA and configure the tunnel to the Fortigate.
If you like to use SAME IP address and other stuff, there is no other way for you here, you need to configure Offline Fortinet and remove ASA (in maintenance window) introduce Fortinet and do testing. (if any issue collect all the Logs and fix and move forward - if this is critical after collecting the logs and troubleshooting still not working - ASA still available in the place to role back)
But what is the 'best' whey to transform the current tunnel in the Cisco router is my question.
i explained what we do in best way worked for me. (I am also thinking you can build 2 Tunnels one for ASA and Fortinet, but Local subnets are same that is limitation) - but if that option available for you - been Long time touched 891 router and can support.
And I think that the Forticonverter isn't a good tool that helps with migrating VPN tunnels from ASA to Fortigate.
sure understood - every Migration tool can not give 100% like a like swift - there we need to do some manual intervention to fix.
Have not come across any cross vendor tool including cisco 100% lift and shift the config with out any adjustment (my experience).
Hope that help you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide