April 26, 2018

Cisco :: ASA to FTD Migration Tool

(Last Updated On: 26th January 2018)

 

In this article, I will demonstrate how to leverage the Firepower Management Center (FMC) to covert Adaptive Security Appliance (ASA) configurations to Firepower Threat Defence (FTD) configurations.  Using the ASA to FTD migration tool can save ample amounts of time, especially if you wish to carry over ASA ACLs and NAT rules. Before I get started with the demonstration, it is worth pointing out some important pre-requisites.

Pre-requisites

  • ASA supported versions 9.1 >
  • ASDM supported versions 7.1 >
  • Firepower Management Center versions must be running the same version (See Cisco docs for supported FMC versions: FMC Supported Versions
  • ASA device must be single context
  • Active/Standby pairs are supported but the configuration must come from the active unit, likewise, if your ASA is in a cluster the configuration will come from the master unit

Note: The migration tool does have some limitations, please check the following Cisco document to ensure that this approach is the best for you: Migration Tool Limitations

What you will need to get started

  • ASA with configuration
  • FMC that will host the migration tool
  • Production FMC where you will import the migrated configuration
  • Firepower Threat Defence (FTD) device

Important Note: Do not install the migration tool on the production FMC, the reason being is because the only way you can uninstall this once it has been installed is by re-imaging the FMC

Demonstration

The following demonstration was conducted within a lab environment with the following virtual devices:

  • FMCv KVM (Used for the migration tool)
  • FMCv KVM (Simulating a production FMC)
  • FTDv KVM (Simulating production FTD)
  • Windows 7 Host (Management Machine)
  • Virtual Switch (Allowing connectivity within a broadcast domain)

The following demonstration is based on the topology below

 

I assume from this point on that you have the required devices and are ready to proceed with the migration process.

Install Migration Tool FMC and configure basic device settings

This is the FMC that will be used purely for the migration tool and nothing else.

Enter a new password (This is mandatory)

You can either keep the same IP address settings or configure different settings to match the requirements of your environment

You can change the time settings to manual. If you use an NTP server, DNS settings will be required

 

All other settings that are shown on your screen but not shown on this demonstration are optional and you can leave them blank. You will need to accept the agreement at the bottom of the screen but no license is required

 

Enable the Migration Tool

Using SSH, connect to the FMC that you have selected for the migration tool process and enter the following commands:

sudo su
Enter Administrator password

enableMigrationTool.pl

 

Once the migration tool has successfully installed, return to the FMC GUI to perform the following steps

Upload the ASA config file and start the migration

 

Note: The configuration file can be output in .txt or .cfg format only

Navigate to System > Tools > Import/Export and then click on Upload Package > Choose File and select your ASA config file and press Upload

You will see that Prefilter policy is recommended, this is because it provides L2/L4 inspection of access rules. If you choose to select Access Control Policy, you are telling the FMC that you wish to inspect the ACLs at L7. Option two allows you to select either FastPath or Analyse, select Analyse if your requirement is to have deep packet inspection on those rules, but chances are, if you’re migrating away from ASA and you weren’t doing any L7 inspection, you will more than likely select FastPath.

You can monitor the process by viewing the notifications and tasks in the top right-hand corner of the GUI

Migration Tool Completion Verification

If you are monitoring the taskbar you will see that the FMC notifies you when the migration has completed. You will be able to download the .sfo file along with a migration tool report.

 

 

At this point, if all went well you should be finished with this FMC

Importing .SFO file to the production FMC

Assuming you already have your production FMC fired up and ready to go, access the GUI and navigate to System > Tools > Import/Export and then click on Upload Package > Choose File and select the .SFO file you wish to import

Select the policies you wish to import and then select Import

Resolve any conflicts by replicating how the interfaces were set-up on the ASA, more information can be found on the Cisco documents link I shared at the start of this article.

 

When you have completed conflict resolution, navigate to the taskbar and check the results. Upon successful completion, you can download the report.

Verification that .SFO configuration file was uploaded successfully

You can check the NAT policy and ACL Pre-Filters to see the information that was migrated to your production FMC

Devices > NAT

Policies > Access Control > Prefilter

 

You should now be ready to add your FTD device to your production FMC and further tune you devices, thank you for reading and I hope that you have found this useful.

Previous «
Next »

Security Solutions Consulting Engineer @ Cisco - CCNA R&S/CCNA Security, CCDA & CCNP R&S - Currently working on CCIE Security. Sharing my knowledge and passion for technology. All views are mine and NOT of my company.

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: