Getting Started

Choose the Right Migration Process

There are two methods to migrate Adaptive Security Appliance (ASA) configurations to FDM-managed devices using Cisco Defense Orchestrator (CDO):

  • CDO solution—If you intend to migrate your ASA configurations to FDM-managed devices and manage them with CDO and Firepower Device Manager, use the cloud-based process in CDO to migrate your ASA configurations.

  • On-Premise solution (Firepower Device Manager)—If you intend to migrate your ASA configurations to FDM-managed devices, use the cloud-based process in CDO to migrate your ASA configurations. You can then use the Firepower Device Manager to manage your configuration.

This guide assumes that you have a basic understanding of CDO operations. To learn more, see the CDO Data Sheet.

About the Cisco Defense Orchestrator Migration Process

CDO can help you migrate your Adaptive Security Appliance (ASA) to an FDM-managed device. CDO provides the ASA to FDM Migration wizard to help you migrate your ASA's running configuration to an FDM template.


Note

The show-fdm and enable-asa-to-ftd-migration feature flags must be enabled to view the ASA to FDM Migration option under Tools & Services. Contact TAC to activate the ASA to FDM Migration option if unavailable under Tools & Services.

You can migrate the following elements of ASA's running configuration to an FDM template using the ASA to FDM Migration wizard:

  • Interfaces

  • Routes

  • Access Control Rules (ACLs)

  • Network Address Translation (NAT) rules

  • Network objects and network group objects


    Note
    CDO does not support object names with reserved keywords. Rename the object names by adding a suffix "ftdmig" to it.

  • Service objects and service group objects

  • Site-to-Site VPN

CDO migrates only referenced objects. Objects in an access control list, which are defined but are not referenced to an access group are not migrated. Some of the common reasons CDO fails to migrate certain elements can be one or more of the following:

  • ICMP access lists with no ICMP code

  • TCP/UDP access lists with no access group configuration

  • IP access lists not mapped to site-to-site VPN profiles

  • Any network objects or groups referred to access lists that are not migrated

  • Interfaces referred as shutdown


Note
Any unreferenced object or object-groups in the configuration will also be dropped and marked as unused during the migration. See the Migration Report for information about elements that have not been migrated.

Once these elements of the ASA running configuration have been migrated to the FDM template, you can then apply the FDM template to a new FDM-managed device that is managed by CDO. The FDM-managed device adopts the configurations defined in the template, and so, the FDM-managed is now configured with some aspects of the ASA's running configuration.

Other elements of the ASA running configuration are not migrated using this process. Those other elements are represented in the FDM template by empty values. When the template is applied to the FDM-managed device, we apply values we migrated to the new device and ignore the empty values. Whatever other default values the new device has, it retains. Those other elements of the ASA running configuration that we did not migrate, will need to be recreated on the FDM-managed device outside the migration process.

License for the Migration Process

The FDM-managed device migration process is part of CDO and does not require any specific license other than the CDO license.

Guidelines and Limitations


Note
Configurations that are not supported in CDO will be dropped during migration as Unsupported and will be reported in the Migration Report.

Feature or Function Name

What Can be Migrated

Restrictions or Limitations of Migration

Firewall Modes

Routed firewall mode

Transparent mode configurations cannot be migrated.

Interface Configurations

  • Physical interfaces

  • Subinterfaces

  • The FDM-managed device must have equal or more physical interfaces than the ASA interface configurations being migrated.

  • Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

  • The following interface configurations will not be migrated to FDM-managed device:

    • Secondary VLANs on ASA interfaces

    • Redundant Interface

    • Bridge Group Interface

    • Virtual Tunnel Interface
EtherChanels

EtherChannels configured on physical interfaces.

The member interfaces mapped to EtherChanels are retained during migration.

  • Before migrating the configurations, you must create the equivalent number of EtherChannels on the FDM-managed device using CDO. See Add an EtherChannel Interface for an FDM-Managed Device.

  • Can only be migrated to configurations of Firepower 1000 or 2100 series hardware devices: 1010, 1120, 1140,1150, 2110, 2120, 2130, 2140.

  • You can migrate EtherChannel configurations from ASA 8.4+ to FDM-managed device running on software version 6.5+.

  • The EtherChannels created on the FDM-managed device before migration must be of the same type as the EtherChannel being migrated.

    CDO will only migrate Etherchannel to EtherChannel and physical interface to physical interface.

  • Member interfaces mapped to EtherChannels in the FDM template will not be available to users during Interface mapping step of the migration wizard. However, they are retained and migrated to their assigned EtherChannels.

Routing

Static routes

  • When there are multiple static routes with the same network as destination, only one route with minimum metric value is migrated and others are dropped.

  • The following route features will not be migrated to FDM-managed device:

    • Tunneled routes

    • Null 0 interface routes

    • Static routes with SLA track

Access Control Rules (ACLs)

  • Enabled Access Control Rules

  • Source and destination objects

  • CDO supports actions like Allow, Trust, and Block for FDM-managed device. During the migration, permit and deny actions in the source ASA configuration are handled and are mapped to the supported action for FDM-managed device on CDO.

  • CDO supports migration of ACLs attached to a policy, interface, or an access group without an IP protocol.

  • ACE with unencrypted L3 Tunnel protocols

The following ACL features will not be migrated to FDM-managed device:

  • CDO and Firepower Device manager do not support ACL with IPv4 and IPv6 mixed protocols

  • Logging severity-level information

  • Inactive or disabled rules

  • ACE with service object or service group having non-TCP, UDP, or ICMP protocols

  • ACE with non-TCP or UDP service objects

  • Non-TCP or UDP protocol in ACE with inline objects

  • ACEs with Time-range

  • Access list not mapped with access group

Network Address Translation (NAT) Rules

  • Network Object (Auto) and twice (Manual) NAT or PAT

  • Static NAT

  • Dynamic NAT or PAT

  • Identity NAT

  • Source Port (service) Translation

The following NAT rules features will not be migrated to FDM-managed device:

  • PAT pool

  • Unidirectional

  • Inactive

  • With Twice NAT, the use of destination service objects for destination port (service) translation (including service objects that have both the source and destination)

  • Destination port translation

  • NAT46, NAT64

Note

 

CDO does not support network object with 0.0.0.0/32.

Service Objects and Service Group Objects

Service Objects and Nested Groups

See Supported Protocols on CDO for the list of protocols used in services objects that CDO supports.

  • The protocols, BCC-RCC-MON, and BBN-RCC-MON, are not supported.

  • Operators like less than, greater than, and not equal to, are not supported.

  • Object-group nesting

Network Objects and Network Group Objects

Network Objects and Network Group Objects

The following network object or network group are unsupported:

  • Discontinuous Mask Based

  • IP address starting with first octet ‘0’ in IPv4 address

ICMP Types

ICMP Types

The following ICMP types are unsupported:

  • ICMP–based service object entries with INVALID ICMP type or/and code

  • Service–type or ICMP–type object without code for ICMPv4 or ICMPv6 type

  • Any unassigned ICMP type (as per IANA) or Invalid ICMP type

Miscellaneous Unsupported Objects

 -

The following miscellaneous objects are unsupported:

  • SGT–based Network Object-Group

  • User–based Network Object-Group

Site-to-Site VPN

  • Phase 1 and Phase 2 proposals for both IKEv1 and IKEv2

  • Perfect Forward Secrecy (PFS) for both IKEv1 and IKEv2

  • Crypto Access List with Nested Object-Group

  • Crypto Map with multiple peer IPs

  • Both IKEv1 and IKEv2 used for a tunnel in Crypto Map

The following Site-to-Site VPN features are not supported:

  • VPN-Filter

  • vpn-idle-timeout

  • isakmp keepalive threshold 10 retry 10

  • Crypto Map VPNMAP 200 set security-association lifetime seconds 360

  • set security-association lifetime kilobytes unlimited

  • set security-association lifetime seconds 3600

  • Certificate Authentication

  • Dynamic Crypto Map

  • Route–based VPN (virtual tunnel interface)

For more information on Guidelines and Limitations, see Guidelines and Limitations for ASA Configurations and Guidelines and Limitations for FDM-managedDevices.

Supported IP Protocols on CDO

The IP Protocols that CDO supports in service objects are as follows:

IP Protocols in Service Objects

1= ICMP

2 = IGMP

3 = GGP

5 = ST2

6 = TCP

7 = CBT

8 = EGP

9 = IGP

10 = BBNRCCMON

11 = NVP2

12 = PUP

13 = ARGUS

14 = EMCON

15=XNET

16 = CHAOS

17 = UDP

18 = MUX

19 = DCNMEAS

20 = HMP

21 = PRM

22 = XNSIDP

23 = TRUNK1

24 = TRUNK2

25 = LEAF1

26 = LEAF2

27 = RDP

28 = IRTP

29 = ISOTP4

30 = NETBLT

31 = MFENSP

32 = MERITINP

33 = SEP

34 = THREEPC

35 = IDPR

36 = XTP

37 = DDP

38 = IDPRCMTP

39 = TPPLUSPLUS

40 = IL

42 = SDRP

45 = IDRP

46 = RSVP

48 = MHRP

49 = BNA

50 = ESP

51 = AH

52 = INLSP

53 = SWIPE

54 = NARP

55 = MOBILE

56 = TLSP

57 = SKIP

58= IPv6-ICMP

59 = IPv6NONXT

62 = CFTP

64 = SATEXPAK

65 = KRYPTOLAN

66 = RVD

67 = IPPC

69 = SATMON

70 = VISA

71 = IPCV

72 = CPNX

73 = CPHB

74 = WSN

75 = PVP

76 = BRSATMON

78 = WBMON

77 = SUNND

79 = WBEXPAK

80 = ISOIP

81 = VMTP

82 = SECUREVMTP

83 = VINES

84 = TTP

85 = NSFNETIGP

86 = DGP

87 = TCF

88 = EIGRP

89 = OSPFIGP

90 = SPRITERPC

91 = LARP

92 = MTP

93 = AX25

94 = IPIP

95 = MICP

96 = SCCSP

97 = ETHERIP

98 = ENCAP

100 = GMTP

101 = IFMPP

102= PNNI

103= PIM

104 = ARIS

105= SCPS

106= QNX

107 = AN

108 = IPCOMP

109= SNP

110 = COMPAQPEER

111 = IPXINIP

112 = VRRP

113= PGM

115 = L2TP

116 = DDX

117= IATP

118 = ST

119= SRP

120= UTI

121= SMP

122= SM

123= PTP

124= ISIS

125 = FIRE

126 = CRTP

127 = CRUDP

128 = SSCOPMCE

129 = IPLT

130= SPS

131= PIPE

132 = SCTP

133 = FC

254 = DIVERT

Best Practices

Follow these best practices when using CDO to migrate an ASA configuration to an FDM template:

  • Ensure you fetch the running configuration from an ASA device using show run command in a model device migration.

  • Review the migration reports for skipped, unsupported, and partially supported configurations.

  • After migration, verify the migrated rules and objects in the FDM template before deploying it to an FDM-managed device.

  • Optimize your ASA policies before migrating them to the FDM template.

  • We recommend that you deploy the migrated ASA configuration to the FDM-managed device that does not have an existing configuration.