Cisco :: ASA to FTD Migration Tool
In this article, I will demonstrate how to leverage the Firepower Management Center (FMC) to covert Adaptive Security Appliance (ASA) configurations to Firepower Threat Defence (FTD) configurations. Using the ASA to FTD migration tool can save ample amounts of time, especially if you wish to carry over ASA ACLs and NAT rules. Before I get started with the demonstration, it is worth pointing out some important pre-requisites.
- ASA supported versions 9.1 >
- ASDM supported versions 7.1 >
- Firepower Management Center versions must be running the same version (See Cisco docs for supported FMC versions: FMC Supported Versions
- ASA device must be single context
- Active/Standby pairs are supported but the configuration must come from the active unit, likewise, if your ASA is in a cluster the configuration will come from the master unit
Note: The migration tool does have some limitations, please check the following Cisco document to ensure that this approach is the best for you: Migration Tool Limitations
What you will need to get started
- ASA with configuration
- FMC that will host the migration tool
- Production FMC where you will import the migrated configuration
- Firepower Threat Defence (FTD) device
Important Note: Do not install the migration tool on the production FMC, the reason being is because the only way you can uninstall this once it has been installed is by re-imaging the FMC
The following demonstration was conducted within a lab environment with the following virtual devices:
- FMCv KVM (Used for the migration tool)
- FMCv KVM (Simulating a production FMC)
- FTDv KVM (Simulating production FTD)
- Windows 7 Host (Management Machine)
- Virtual Switch (Allowing connectivity within a broadcast domain)
The following demonstration is based on the topology below
I assume from this point on that you have the required devices and are ready to proceed with the migration process.
Install Migration Tool FMC and configure basic device settings
This is the FMC that will be used purely for the migration tool and nothing else.
Enter a new password (This is mandatory)
You can either keep the same IP address settings or configure different settings to match the requirements of your environment
You can change the time settings to manual. If you use an NTP server, DNS settings will be required
All other settings that are shown on your screen but not shown on this demonstration are optional and you can leave them blank. You will need to accept the agreement at the bottom of the screen but no license is required
Enable the Migration Tool
Using SSH, connect to the FMC that you have selected for the migration tool process and enter the following commands:
Enter Administrator password
Once the migration tool has successfully installed, return to the FMC GUI to perform the following steps
Upload the ASA config file and start the migration
Note: The configuration file can be output in .txt or .cfg format only
Navigate to System > Tools > Import/Export and then click on Upload Package > Choose File and select your ASA config file and press Upload
You will see that Prefilter policy is recommended, this is because it provides L2/L4 inspection of access rules. If you choose to select Access Control Policy, you are telling the FMC that you wish to inspect the ACLs at L7. Option two allows you to select either FastPath or Analyse, select Analyse if your requirement is to have deep packet inspection on those rules, but chances are, if you’re migrating away from ASA and you weren’t doing any L7 inspection, you will more than likely select FastPath.
You can monitor the process by viewing the notifications and tasks in the top right-hand corner of the GUI
Migration Tool Completion Verification
If you are monitoring the taskbar you will see that the FMC notifies you when the migration has completed. You will be able to download the .sfo file along with a migration tool report.
At this point, if all went well you should be finished with this FMC
Importing .SFO file to the production FMC
Assuming you already have your production FMC fired up and ready to go, access the GUI and navigate to System > Tools > Import/Export and then click on Upload Package > Choose File and select the .SFO file you wish to import
Select the policies you wish to import and then select Import
Resolve any conflicts by replicating how the interfaces were set-up on the ASA, more information can be found on the Cisco documents link I shared at the start of this article.
When you have completed conflict resolution, navigate to the taskbar and check the results. Upon successful completion, you can download the report.
Verification that .SFO configuration file was uploaded successfully
You can check the NAT policy and ACL Pre-Filters to see the information that was migrated to your production FMC
Devices > NAT
Policies > Access Control > Prefilter
You should now be ready to add your FTD device to your production FMC and further tune you devices, thank you for reading and I hope that you have found this useful.