Configure the Secure Firewall Migration Tool for ASA Migration

Available Languages

Download Options

  • PDF     (2.8 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (3.1 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.5 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 19, 2022
Document ID:218120

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the procedure to migrate Cisco Adaptive Security Appliance (ASA) to Cisco Firepower.

    Contributed by Ricardo Vera, Cisco TAC Engineer.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of Cisco Firewall Threat Defense (FTD) and Adaptive Security Appliance (ASA).

    Components Used

    The information in this document is based on these software and hardware versions:

    • Windows PC with Firepower Migration Tool (FMT) v3.0.1
    • Adaptive Security Appliance (ASA) v9.16.1
    • Secure Firewall Management Center (FMCv) v7.0.1
    • Secure Firewall Threat Defense Virtual (FTDv) v7.0.1

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Specific requirements for this document include:

    • Cisco Adaptive Security Appliance (ASA) Version 8.4 or later
    • Secure Firewall Management Center (FMCv) Version 6.2.3 or later

    The Firewall Migration Tool supports this list of devices:

    • Cisco ASA (8.4+)
    • Cisco ASA (9.2.2+) with FPS
    • Check Point (r75-r77)
    • Check Point (r80)
    • Fortinet (5.0+)
    • Palo Alto Networks (6.1+)

    Before you proceed with the migration, please consider the Guidelines and Limitations for the Firewall Migration Tool.

    Configure

    Network Diagram

    Topology - Migration Tool

    Configuration Steps

    1. Download the most recent Firepower Migration Tool from Cisco Software Central:

    Firepower Migration Tool software download

    1. Click the file you previously downloaded to your computer.

    Select Firepower application

    Note: The program opens up automatically and a console auto generates content on the directory where you ran the file.

    Console directory

    End User License Agreement

    1. After you run the program, it opens up a web browser that displays the “End User License Agreement”.
      1. Mark the check box to accept terms and conditions.
      2. Click Proceed.

    Firepower Migration Tool user log in

    1. Log in to the migration tool.
      1. You can either log in with the CCO account or with the local default account.
        1.       Local default account credentials are: admin/Admin123

    Secure Firewall Vendor selection

    1. Select the Source Firewall to migrate.
      1. In this example, Cisco ASA (8.4+) is used as a source.

    Extract information

    1. Select the extraction method to be used to get the configuration.
      1. Manual Upload requires you to upload the Running Config file of the ASA in “.cfg” or “.txt” format.
      2. Connect to the ASA to extract configurations directly from the firewall.

    Configuration summary

    Note: For this example, connect directly to the ASA.

    1. A summary of the configuration found on the firewall is displayed as a dashboard, please click Next.

    FMCIP Address

    1. Select the target FMC to use on the migration.
      1. Provide the IP of the FMC.
        1.       It opens a pop-up window where it prompts you for the log in credentials of the FMC.

    Select Target and configuration

    1. (Optional) Select the Target FTD you want to use.
      1. If you choose to migrate to an FTD, select the FTD you want to use.
      2. If you do not want to use an FTD you can fill the check box Proceed without FTD

    Start Conversation

    1. Select the configurations you want to migrate, options are displayed on the screenshots.

    Download Report

    1. Start the conversion of the configurations from ASA to FTD.

    Pre-Migration Report

    1. Once the conversion finishes, it displays a dashboard with the summary of the objects to be migrated (restricted to compatibility).
      1. You can optionally click on Download Report to receive a summary of the configurations to be migrated.

    Map ASA Interfaces

    Pre-Migration report example, as shown in the image:

    Map Security Zones and Interface Groups

    1. Map the ASA interfaces with the FTD interfaces on the Migration Tool.

    Security Zones and Interface Groups auto-created16

    1. Create the Security Zones and Interface Groups for the interfaces on the FTD

    Validate configuration

    Security Zones (SZ) and Interface Groups (IG) are auto-created by the tool, as shown in the image:

    Push Configuration

    1. Review and validate the configurations to be migrated on the Migration Tool.
      1. If you have already finished the review and optimization of the configurations, click Validate.

    Push in progress

    1. If the validation status is successful, push the configurations to the target devices.

    Validation status

    Example of configuration pushed through the migration tool, as shown in the image:

    Deploy

    Example of a successful migration, as shown in the image:

    Complete Migration

    1. (Optional) If you selected to migrate the configuration to an FTD, it requires a deployment to push the available configuration from the FMC to the firewall, in order to deploy the configuration:
      1. Log in to the FMC GUI.
      2. Navigate to the Deploy tab.
      3. Select the deployment to push configuration to the firewall.
      4. Click Deploy.

    Deploy tab selected

    Troubleshoot

    This section provides information you can use to troubleshoot your configuration.

    Verify the logs in the directory where the Firepower Migration Tool File was placed, for example:

    Firepower_Migration_Tool_v3.0.1-7373.exe/logs/log_2022-08-18-21-24-46.log

    Revision History

    Revision Publish Date Comments
    2.0
    19-Sep-2022
    Initial Release.
    1.0
    07-Sep-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Ricardo Vera
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products