Configure FTD from ASA Configuration File with Firepower Migration Tool

Available Languages

Download Options

  • PDF     (2.3 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.3 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (2.2 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:February 8, 2022
Document ID:217668

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes an example of Adaptive Security Appliance (ASA) to Firepower Threat Defense (FTD) migration on FPR4145.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic knowledge of ASA
    • Knowledge of Firepower Management Center (FMC) and FTD

    Components Used

    The information in this document is based on these software and hardware versions:

    • ASA Version 9.12(2)
    • FTD Version 6.7.0
    • FMC Version 6.7.0
    • Firepower Migration Tool version 2.5.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Export the ASA configuration file in .cfg or .txt format. FMC must be deployed with FTD registered under it.

    Configure

    1. Download the Firepower Migration Tool from software.cisco.com as shown in the image.

    Cisco Software Download Page - FMT

    2. Review and verify the requirements for the Firepower Migration Tool section.

    3. If you are planning to migrate a large configuration file, configure sleep settings so the system does not go to sleep during a migration push.

    3.1. For Windows, navigate to Power Options in the Control Panel. Click Change Plan Settings next to your current power plan and then toggle Put the computer to sleep to Never. Click Save Changes.

    3.2. For MAC, navigate to  System Preferences > Energy Saver. Tick the box next to Prevent the Computer from Sleeping Automatically when the display is off and drag the Turn Display Off after slider to Never.

    Note: This warning, dialog pops up when MAC users try to open the downloaded file. Ignore this and follow Step 4.1.

    Warning Pop Up on MAC

    4.1. For MAC - Use the terminal and run these commands:

    MAC Terminal Commands

    MAC Terminal Output

    4.2. For Windows - double-click the Firepower Migration Tool in order to launch it in a Google Chrome browser.

    5. Accept the license as shown in the image:

    End User License Agreement - FMT

    6. On the login page of the Firepower Migration Tool, click the login with Cisco Connection Online (CCO) link in order to log in to your Cisco.com account with your single-sign-on credentials.

    Note: If you do not have a Cisco.com account, create it on the Cisco.com login page. Log in with these default credentials: Username—admin and Password—Admin123.

    Redirection to Cisco Login Page

    7. Choose the source configuration. In this scenario, it is Cisco ASA (8.4+).

    Source Firewall Vendor Dropdown

    8. Choose Manual Upload if you do not have connectivity to the ASA. Otherwise, you can retrieve the running configuration from the ASA and enter the management IP and login details. In this scenario, a manual upload was performed.

    Extracting ASA Configuration

    Note: This error is seen if the file is not supported. Ensure to change the format to plain text. (Error is seen despite having extension .cfg.)

    File Type Warning

    ASA Configuration File (.cfg file type)

    9. After the file is uploaded, the elements are parsed providing a summary as shown in the image:

    Summary of the Parsed Configuration

    10. Enter the FMC IP and login credentials to which the ASA configuration is to be migrated. Ensure that the FMC IP is reachable from your workstation.

    Connect to FMC

    FMC Login Credentials

    11. Once the FMC is connected, the managed FTDs under it are displayed.

    FTDs Managed under FMC

    12. Choose the FTD to which you want to perform the migration of the ASA configuration.

    Target FTD Selection

    Note: It is recommended to choose the FTD device, else interfaces, routes, and site-to-site VPN configuration must be done manually.

    FTD Device Selection Recommendation

    13. Choose the features required to be migrated as shown in the image:

    Features Available for Migration

    14. Choose Start Conversion in order to initiate the pre-migration which populates the elements pertaining to FTD configuration.

    Pre-Migration Selection

    15. Click Download Report seen previously in order to view the Pre-Migration Report which is as shown in the image:

    Pre-Migration Report

    16. Map ASA interfaces to FTD interfaces as required as shown in the image:

    Mapping Interfaces

    17. Assign security zones and interface groups to the FTD interfaces.

    Assigning Security Zone and Interface Groups

    17.1. If the FMC has security zones and interface groups already created, you can choose them as needed:

    Selecting Existing Security Zone

    17.2. If there is a need to create security zones and an Interface group, click Add SZ & IG as shown in the image:

    Creating New Security Zone and Interface Groups

    17.3. Otherwise, you can proceed with the option Auto-Create which creates security zones and interface groups with the name ASA logical interface_sz and ASA logical interface_ig respectively.

    Auto-Create for New Security Zone and Interface Groups

    Mapping Security Zone and Interface Groups

    18. Review and validate each of the FTD elements created. Alerts are seen in red as shown in the image:

    Review and Validate the FTD Elements

    19. The migration actions can be chosen as shown in the image if you want to edit any rule. FTD features of adding files and IPS policy can be done at this step.

    Additional Actions

    Note: If File Policies already exist in the FMC, they are populated as shown in the image. The same holds true for IPS policies along with the default policies.

    File Policy Selection

    Log configuration can be done for the required rules. Syslog server configuration existing on the FMC can be chosen at this stage.

    Logging Configuration

    The rule actions chosen are highlighted accordingly for each rule.

    Rule Action Highlights

    20. Similarly, Network Address Translation (NAT), Network Objects, Port Objects, Interfaces, Routes, VPN Objects, Site-to-Site VPN Tunnels, and other elements as per your configuration can be reviewed step by step.

    Note: Alert is notified as shown in the image in order to update the pre-shared key since it does not get copied in the ASA configuration file. Navigate to Actions > Update Pre-Shared Key in order to enter the value.

    Updating Pre-Shared Key

    Entering Pre-Shared Key

    21. Finally, click the Validate icon at the bottom right of the screen as shown in the image:

    Validate Icon

    22. Once the validation is successful, click Push Configuration as shown in the image:

    Validation Status

    Push in Progress

    Push in Progress

    23. Once the migration is successful, the message that is displayed is shown in the image.

    Migration Completion

    Note: If the migration is unsuccessful, click Download Report in order to view the Post-migration report.

    Report Download

    Verify

    Use this section in order to confirm that your configuration works properly.

    Validation on the FMC:

    1. Navigate to Policies > Access Control > Access Control Policy > Policy Assignment in order to confirm that the selected FTD is populated.

    ACP Assignment to FTD on FMC

    Note: The migration access control policy has a name with the prefix FTD-Mig-ACP. If no FTD was selected earlier, the FTD must be selected on the FMC.

    2. Push the policy to the FTD. Navigate to Deploy > Deployment > FTD Name > Deploy  as shown in the image:

    Pushing the Deployment

    Known Bugs Related to the Firepower Migration Tool

    • Cisco bug ID CSCwa56374 - FMT tool hangs on zone mapping page with error with high memory utilization
    • Cisco bug ID CSCvz88730 - Interface push failure for FTD Port-channel Management interface type
    • Cisco bug ID CSCvx21986 - Port-Channel migration to Target Platform - Virtual FTD is not supported
    • Cisco bug ID CSCvy63003 - Migration Tool must disable the interface feature if FTD is already part of the Cluster
    • Cisco bug ID CSCvx08199 - ACL needs to split when the application reference is more than 50

    Related Information

    Revision History

    Revision Publish Date Comments
    4.0
    08-Feb-2022
    Updated known Bugs and References
    3.0
    07-Feb-2022
    Added known Bugs and References.
    2.0
    04-Feb-2022
    Software Version Update
    1.0
    02-Feb-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Poornima Krishnan
      Cisco TAC Engineer
    • Carol Dsouza
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products