Firewall Modes
|
Routed firewall mode
|
Transparent mode configurations cannot be migrated.
|
Interface Configurations
|
-
Physical interfaces
-
Subinterfaces
|
-
The FDM-managed device must have equal or more physical interfaces than the ASA interface configurations being migrated.
-
Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)
-
The following interface configurations will not be migrated to FDM-managed device:
|
EtherChanels |
EtherChannels configured on physical
interfaces.
The member interfaces mapped to EtherChanels
are retained during migration.
|
-
Before migrating the configurations, you must create the equivalent number of EtherChannels on the FDM-managed device using CDO. See Add an EtherChannel Interface for an FDM-Managed Device.
-
Can only be migrated to configurations of Firepower 1000 or 2100 series hardware devices: 1010, 1120, 1140,1150, 2110, 2120,
2130, 2140.
-
You can migrate EtherChannel configurations from ASA 8.4+ to FDM-managed device running on software version 6.5+.
-
The EtherChannels created on the FDM-managed device before migration must be of the same type as the EtherChannel being migrated.
CDO will only migrate Etherchannel to
EtherChannel and physical interface to physical
interface.
-
Member interfaces mapped to EtherChannels in the FDM template will not be available to users during Interface mapping step
of the migration wizard. However, they are retained and migrated to their assigned EtherChannels.
|
Routing |
Static routes
|
-
When there are multiple static routes with the same network as destination, only one route with minimum metric value is migrated
and others are dropped.
-
The following route features will not be migrated to FDM-managed device:
|
Access Control Rules (ACLs)
|
-
Enabled Access Control Rules
-
Source and destination objects
-
CDO supports actions like Allow, Trust, and Block for FDM-managed device. During the migration, permit and deny actions in the source ASA configuration are handled and are mapped to the supported
action for FDM-managed device on CDO.
-
CDO supports migration of ACLs attached to a policy, interface, or an access group without an IP protocol.
-
ACE with unencrypted L3 Tunnel protocols
|
The following ACL features will not be migrated to FDM-managed device:
-
CDO and Firepower Device manager do not support ACL with IPv4 and IPv6 mixed protocols
-
Logging severity-level information
-
Inactive or disabled rules
-
ACE with service object or service group having non-TCP, UDP, or ICMP protocols
-
ACE with non-TCP or UDP service objects
-
Non-TCP or UDP protocol in ACE with inline objects
-
ACEs with Time-range
-
Access list not mapped with access group
|
Network Address Translation (NAT) Rules
|
|
The following NAT rules features will not be migrated to FDM-managed device:
-
PAT pool
-
Unidirectional
-
Inactive
-
With Twice NAT, the use of destination service objects for destination port (service) translation (including service objects that have both the source and destination)
-
Destination port translation
-
NAT46, NAT64
Note
|
CDO does not support network object with 0.0.0.0/32.
|
|
Service Objects and Service Group Objects
|
Service Objects and Nested Groups
See Supported Protocols on CDO for the list of protocols used in services objects that CDO supports.
|
-
The protocols, BCC-RCC-MON, and BBN-RCC-MON, are not supported.
-
Operators like less than, greater than, and not equal to, are not supported.
-
Object-group nesting
|
Network Objects and Network Group Objects
|
Network Objects and Network Group Objects
|
The following network object or network group are unsupported:
|
ICMP Types
|
ICMP Types
|
The following ICMP types are unsupported:
-
ICMP–based service object entries with INVALID ICMP type or/and code
-
Service–type or ICMP–type object without code for ICMPv4 or ICMPv6 type
-
Any unassigned ICMP type (as per IANA) or Invalid ICMP type
|
Miscellaneous Unsupported Objects
|
- |
The following miscellaneous objects are unsupported:
|
Site-to-Site VPN
|
-
Phase 1 and Phase 2 proposals for both IKEv1 and IKEv2
-
Perfect Forward Secrecy (PFS) for both IKEv1 and IKEv2
-
Crypto Access List with Nested Object-Group
-
Crypto Map with multiple peer IPs
-
Both IKEv1 and IKEv2 used for a tunnel in Crypto Map
|
The following Site-to-Site VPN features are not supported:
-
VPN-Filter
-
vpn-idle-timeout
-
isakmp keepalive threshold 10 retry 10
-
Crypto Map VPNMAP 200 set security-association lifetime seconds 360
-
set security-association lifetime kilobytes unlimited
-
set security-association lifetime seconds 3600
-
Certificate Authentication
-
Dynamic Crypto Map
-
Route–based VPN (virtual tunnel interface)
|