SlideShare a Scribd company logo

How to migrate an asa with fire power services to a ftd image on an asa 5506 x

Download as DOCX, PDF
IT Tech
IT Tech

How to Migrate ASA to FTD? At a high level, you reimage the ASA unit with a FTD then use the migration tool (if you have an existing ASA configuration) to import the ASA configuration into the new FTD configuration.

Technology
1 of 8
Tags: ASA, Cisco, FirePOWER, Firepower Threat Defense, Firewall, FTD How to Migrate an ASA with FirePOWER Services to a FTD Image on an ASA 5506-X? How to Migrate ASA to FTD? At a high level, you reimage the ASA unit with a FTD then use the migration tool (if you have an existing ASA configuration) to import the ASA configuration into the new FTD configuration. Let’s start with some of the pre-requirements for the re-image process. 1. Firstly, backup the ASA configuration along with the ASA, ASDM, and FirePOWER software. You can do this with a full backup through the ASA ASDM or CLI. Also, backup any license files or keys you may have for the ASA and make sure the ASA’s ROMMON version is 1.1.8 or greater (if not then upgrade it). 2. Secondly, download the FTD boot image and install package software (the file names will vary depending on ASA model). 3. Lastly, make sure you have console access to your ASA unit. Now let’s go through the ASA to FTD re-image process. You can refer to this link from Cisco for details of this process and I will refer back to it throughout this blog: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimag e/asa-ftd-reimage.html. Step 1: Reboot the ASA and get into the ROMMON prompt. You can break into ROMMON by pressing ESC when prompted to during the reboot.
Step 2: Setup a TFTP server on your laptop or LAN then while in ROMMON, configure the ASA interface with an IP address that is accessible by the TFTP
server. You will use this to load the FTD boot image into the ASA unit. The interface you configure does vary depending on the ASA model, so check the link in the beginning of the section for details. For this lab, I’m using an ASA 5506-X so it will not allow me to choose an interface. All interface configuration is applied to the management interface. Also, the TFTP server is on my laptop so I set the gateway as the same as the TFTP server address. Commands in ROMMON to run at this step:  rommon #0> address <ip address>  rommon #1> server <tftp server IP address>  rommon #2> gateway <gateway IP address>  rommon #3> file <boot image file name>  rommon #4> set Step 3: Once the interface is configured, make sure you can ping the TFTP server to verify network connectivity then download the FTD boot image. Commands in ROMMON to run at this step:  rommon #5> sync
 rommon #6> tftpdnld After the ‘tftpdnld’ command is ran the FTD boot image will download and reboot the ASA into the FTD Boot CLI Step 4: Setup an HTTP or FTP server on your laptop or network for to install the FTD systems install package to the ASA. In the FTD boot CLI, run the ‘setup’ command and it step you through configuring network settings for the install. Step 5: Once the ASA’s network settings is configured then install the system image using the ‘system install’ command. Commands for this step: system install [noconfirm] http://<ip address of tftp server>/<ftd system image file name> The noconfirm allows you not to respond to confirmation messages from during the install.
The install can take some time so grab a cup of coffee and be prepared to wait. Once the install is done, the ASA will reboot and bring up the FTD CLI prompt. You have now re-imaged an ASA unit with a FTD image. At this point you can log into the on-box management GUI, Firepower Device Manager (FDM), or you can add the ASA to the Firepower Management Center (FMC) as you would normally add a Firepower device. For this blog, I will be using FDM to manage FTD. Lastly, let’s confirm we can log into the FDM portal. By default, FTD assigns the management interface for the ASA unit with an IP address of 192.168.45.45 and has DHCP server enabled on it. You can plug your laptop into the management port and receive an IP address on that subnet. Browse to https://192.168.45.45 and log into FDM with the default username and password, admin/Admin123.
After you log into FDM, you will be prompted to change the password and accept the EULA. It will then run you through a wizard for initial configuration. For the last part of this blog, we will look (at high-level overview) into the ASA
to FTD configuration migration tool. If you have an existing ASA configuration that you need to migrated to FTD, you can use this tool to help migrate some of the ASA configuration to FTD. There are some caveats to this and we will discuss them in a moment after we go over the migration process. For the configuration migration, you will first want to back up the ASA configuration file in a .cfg or .txt format first then make sure the ASA code level is at least on 9.1 version and ASDM on version 7.1. The migration tool is a feature you enable on a Firepower Management Console (FMC) VM, which should not be a Production FMC since it only allows to use the migration tool features. If it is done a production VM, the FMC will require a re-image to be able to in order to un-install the migration tool. Make sure the migration tool is the same major and minor release as the production FMC that you will import the configuration into. For example, if your FMC is running 6.2.0.2 then the version of FMC that the migration tool is running on needs to be 6.2.0.2 as well. You will then run the ASA configuration file through migration tool and download the .sfo file, then import that into the Production FMC. You can use the imported configuration to set up an Access Control Policy to apply to the FTD device. Now to the caveats and limitation of what ASA configuration parameters the tool converts. Here is a list of what ASA configurations the tool supports:  Extended access rules  Twice NAT statements  Object NAT statements  Network objects/groups and service objects/groups that are associated with extended access rules and NAT statements which the tool coverts Here is a list of the tool’s limitations:  It migrates only ASA configurations. It does not migrate FirePOWER services configuration, these policies will have to be migrated manually.  It can support up to 2000000 total access rules, if there is more ACEs than what is stipulated then the migration will fail.  It will migrate ACLs that are applied to interfaces only. You can check on which ACLs are applied to interfaces by running a ‘show run access- group’ command.  The tool only coverts objects that are used in ACLs that are applied to interfaces and NAT statements migrated. It does not migrated objects alone.
 It does not migrate EtherType or WebType ACLs, ACEs that use host address name aliases (defined by the ‘name’ command), and ACEs that use default service objects.  It will covert, but disable ACEs that include the following: time-range objects, Fully-qualified domain names (FQDN), Local users or user groups, Security group (SGT) objects, and Nested service groups for both source and destination ports. It disables these rules since FTD does not have an equivalent functionality for these parameters. For a disabled rule, you can edit it to meet supported FTD configuration. As you can see the FTD migration tool will aid you in migrating an existing ASA configuration to an FTD deployment. Keep in mind that it will not convert everything in the ASA configuration and there will be at some manual migration, but the tool will save you some time and provide you with a good starting point for your migration! Info from https://egroupcloud.com/migrating-asa-ftd/ More Related How to Connect the DC Adapter for the ASA 5506H-X? Cisco ASA with FirePower Services vs. FTD How to Deploy the Cisco ASA FirePOWER Services in the Internet Edge, VPN Scenarios and Data Center? The Most Common NGFW Deployment Scenarios Migrate from the Cisco ASA5505 to Cisco ASA5506X Series Migration to Cisco NGFW Cisco ASA with Firepower Services, Setup Guide-Part1 Cisco ASA with Firepower Services, Setup Guide-Part2 Cisco ASA with Firepower Services, Setup Guide-Part3 Cisco ASA with Firepower Services, Setup Guide-Part4 How to Recover the Password for Your ASA?

Recommended

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
IT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
IT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
IT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
IT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
IT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
IT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
IT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
IT Tech
 

Recommended

Cisco ip phone key expansion module setup
Cisco ip phone key expansion module setupCisco ip phone key expansion module setup
Cisco ip phone key expansion module setup
IT Tech
 
Cisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guideCisco catalyst 9200 series platform spec, licenses, transition guide
Cisco catalyst 9200 series platform spec, licenses, transition guide
IT Tech
 
Cisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guideCisco isr 900 series highlights, platform specs, licenses, transition guide
Cisco isr 900 series highlights, platform specs, licenses, transition guide
IT Tech
 
Hpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guideHpe pro liant gen9 to gen10 server transition guide
Hpe pro liant gen9 to gen10 server transition guide
IT Tech
 
The new cisco isr 4461 faq
The new cisco isr 4461 faqThe new cisco isr 4461 faq
The new cisco isr 4461 faq
IT Tech
 
New nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switchesNew nexus 400 gigabit ethernet (400 g) switches
New nexus 400 gigabit ethernet (400 g) switches
IT Tech
 
Tested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi featuresTested cisco isr 1100 delivers the richest set of wi-fi features
Tested cisco isr 1100 delivers the richest set of wi-fi features
IT Tech
 
Aruba campus and branch switching solution
Aruba campus and branch switching solutionAruba campus and branch switching solution
Aruba campus and branch switching solution
IT Tech
 
Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
IT Tech
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
IT Tech
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
IT Tech
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
IT Tech
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
IT Tech
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
IT Tech
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
IT Tech
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
IT Tech
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
IT Tech
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
IT Tech
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
IT Tech
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
IT Tech
 
Cisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsCisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngips
IT Tech
 
16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...
IT Tech
 
Various raid levels pros &amp; cons
Various raid levels pros &amp; consVarious raid levels pros &amp; cons
Various raid levels pros &amp; cons
IT Tech
 
5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performance5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performance
IT Tech
 
Cisco 1921 series key features &amp; benefits
Cisco 1921 series key features &amp; benefitsCisco 1921 series key features &amp; benefits
Cisco 1921 series key features &amp; benefits
IT Tech
 
Guide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica nodeGuide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica node
IT Tech
 
Raid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewRaid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overview
IT Tech
 
How to choose a server for your data center's needs
How to choose a server for your data center's needsHow to choose a server for your data center's needs
How to choose a server for your data center's needs
IT Tech
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
FIDO Alliance
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
AnubhavMangla3
 

More Related Content

More from IT Tech

More from IT Tech (20)

Cisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switchesCisco transceiver module for compatible catalyst switches
Cisco transceiver module for compatible catalyst switches
 
Cisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switchesCisco ios on cisco catalyst switches
Cisco ios on cisco catalyst switches
 
Cisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modesCisco's wireless solutions deployment modes
Cisco's wireless solutions deployment modes
 
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dellCompetitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
Competitive switching comparison cisco vs. hpe aruba vs. huawei vs. dell
 
Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000Four reasons to consider the all in-one isr 1000
Four reasons to consider the all in-one isr 1000
 
The difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fexThe difference between yellow and white labeled ports on a nexus 2300 series fex
The difference between yellow and white labeled ports on a nexus 2300 series fex
 
Cisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches seriesCisco transceiver modules for compatible cisco switches series
Cisco transceiver modules for compatible cisco switches series
 
Guide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 seriesGuide to the new cisco firepower 2100 series
Guide to the new cisco firepower 2100 series
 
892 f sfp configuration example
892 f sfp configuration example892 f sfp configuration example
892 f sfp configuration example
 
Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700Cisco nexus 7000 and nexus 7700
Cisco nexus 7000 and nexus 7700
 
Cisco firepower ngips series migration options
Cisco firepower ngips series migration optionsCisco firepower ngips series migration options
Cisco firepower ngips series migration options
 
Eol transceiver to replacement model
Eol transceiver to replacement modelEol transceiver to replacement model
Eol transceiver to replacement model
 
Cisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngipsCisco firepower 2100 series, as a ngfw or a ngips
Cisco firepower 2100 series, as a ngfw or a ngips
 
16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...16 questions of cisco sfp 10 g-sr...
16 questions of cisco sfp 10 g-sr...
 
Various raid levels pros &amp; cons
Various raid levels pros &amp; consVarious raid levels pros &amp; cons
Various raid levels pros &amp; cons
 
5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performance5 comparisons measuring ssd and hdd performance
5 comparisons measuring ssd and hdd performance
 
Cisco 1921 series key features &amp; benefits
Cisco 1921 series key features &amp; benefitsCisco 1921 series key features &amp; benefits
Cisco 1921 series key features &amp; benefits
 
Guide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica nodeGuide using the hpe dl380 gen9 24-sff server as a vertica node
Guide using the hpe dl380 gen9 24-sff server as a vertica node
 
Raid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overviewRaid the redundant array of independent disks technology overview
Raid the redundant array of independent disks technology overview
 
How to choose a server for your data center's needs
How to choose a server for your data center's needsHow to choose a server for your data center's needs
How to choose a server for your data center's needs
 

Recently uploaded

ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
VictorSzoltysek
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
FIDO Alliance
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Skynet Technologies
 

Recently uploaded (20)

Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdfFrisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
Frisco Automating Purchase Orders with MuleSoft IDP- May 10th, 2024.pptx.pdf
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
ChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps ProductivityChatGPT and Beyond - Elevating DevOps Productivity
ChatGPT and Beyond - Elevating DevOps Productivity
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
الأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهلهالأمن السيبراني - ما لا يسع للمستخدم جهله
الأمن السيبراني - ما لا يسع للمستخدم جهله
 
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptxTales from a Passkey Provider Progress from Awareness to Implementation.pptx
Tales from a Passkey Provider Progress from Awareness to Implementation.pptx
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Top 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development CompaniesTop 10 CodeIgniter Development Companies
Top 10 CodeIgniter Development Companies
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
JavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate GuideJavaScript Usage Statistics 2024 - The Ultimate Guide
JavaScript Usage Statistics 2024 - The Ultimate Guide
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Navigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi DaparthiNavigating the Large Language Model choices_Ravi Daparthi
Navigating the Large Language Model choices_Ravi Daparthi
 
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptxCyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
Cyber Insurance - RalphGilot - Embry-Riddle Aeronautical University.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
Event-Driven Architecture Masterclass: Integrating Distributed Data Stores Ac...
 
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
Human Expert Website Manual WCAG 2.0 2.1 2.2 Audit - Digital Accessibility Au...
 

How to migrate an asa with fire power services to a ftd image on an asa 5506 x

  • 1. Tags: ASA, Cisco, FirePOWER, Firepower Threat Defense, Firewall, FTD How to Migrate an ASA with FirePOWER Services to a FTD Image on an ASA 5506-X? How to Migrate ASA to FTD? At a high level, you reimage the ASA unit with a FTD then use the migration tool (if you have an existing ASA configuration) to import the ASA configuration into the new FTD configuration. Let’s start with some of the pre-requirements for the re-image process. 1. Firstly, backup the ASA configuration along with the ASA, ASDM, and FirePOWER software. You can do this with a full backup through the ASA ASDM or CLI. Also, backup any license files or keys you may have for the ASA and make sure the ASA’s ROMMON version is 1.1.8 or greater (if not then upgrade it). 2. Secondly, download the FTD boot image and install package software (the file names will vary depending on ASA model). 3. Lastly, make sure you have console access to your ASA unit. Now let’s go through the ASA to FTD re-image process. You can refer to this link from Cisco for details of this process and I will refer back to it throughout this blog: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimag e/asa-ftd-reimage.html. Step 1: Reboot the ASA and get into the ROMMON prompt. You can break into ROMMON by pressing ESC when prompted to during the reboot.
  • 2. Step 2: Setup a TFTP server on your laptop or LAN then while in ROMMON, configure the ASA interface with an IP address that is accessible by the TFTP
  • 3. server. You will use this to load the FTD boot image into the ASA unit. The interface you configure does vary depending on the ASA model, so check the link in the beginning of the section for details. For this lab, I’m using an ASA 5506-X so it will not allow me to choose an interface. All interface configuration is applied to the management interface. Also, the TFTP server is on my laptop so I set the gateway as the same as the TFTP server address. Commands in ROMMON to run at this step:  rommon #0> address <ip address>  rommon #1> server <tftp server IP address>  rommon #2> gateway <gateway IP address>  rommon #3> file <boot image file name>  rommon #4> set Step 3: Once the interface is configured, make sure you can ping the TFTP server to verify network connectivity then download the FTD boot image. Commands in ROMMON to run at this step:  rommon #5> sync
  • 4.  rommon #6> tftpdnld After the ‘tftpdnld’ command is ran the FTD boot image will download and reboot the ASA into the FTD Boot CLI Step 4: Setup an HTTP or FTP server on your laptop or network for to install the FTD systems install package to the ASA. In the FTD boot CLI, run the ‘setup’ command and it step you through configuring network settings for the install. Step 5: Once the ASA’s network settings is configured then install the system image using the ‘system install’ command. Commands for this step: system install [noconfirm] http://<ip address of tftp server>/<ftd system image file name> The noconfirm allows you not to respond to confirmation messages from during the install.
  • 5. The install can take some time so grab a cup of coffee and be prepared to wait. Once the install is done, the ASA will reboot and bring up the FTD CLI prompt. You have now re-imaged an ASA unit with a FTD image. At this point you can log into the on-box management GUI, Firepower Device Manager (FDM), or you can add the ASA to the Firepower Management Center (FMC) as you would normally add a Firepower device. For this blog, I will be using FDM to manage FTD. Lastly, let’s confirm we can log into the FDM portal. By default, FTD assigns the management interface for the ASA unit with an IP address of 192.168.45.45 and has DHCP server enabled on it. You can plug your laptop into the management port and receive an IP address on that subnet. Browse to https://192.168.45.45 and log into FDM with the default username and password, admin/Admin123.
  • 6. After you log into FDM, you will be prompted to change the password and accept the EULA. It will then run you through a wizard for initial configuration. For the last part of this blog, we will look (at high-level overview) into the ASA
  • 7. to FTD configuration migration tool. If you have an existing ASA configuration that you need to migrated to FTD, you can use this tool to help migrate some of the ASA configuration to FTD. There are some caveats to this and we will discuss them in a moment after we go over the migration process. For the configuration migration, you will first want to back up the ASA configuration file in a .cfg or .txt format first then make sure the ASA code level is at least on 9.1 version and ASDM on version 7.1. The migration tool is a feature you enable on a Firepower Management Console (FMC) VM, which should not be a Production FMC since it only allows to use the migration tool features. If it is done a production VM, the FMC will require a re-image to be able to in order to un-install the migration tool. Make sure the migration tool is the same major and minor release as the production FMC that you will import the configuration into. For example, if your FMC is running 6.2.0.2 then the version of FMC that the migration tool is running on needs to be 6.2.0.2 as well. You will then run the ASA configuration file through migration tool and download the .sfo file, then import that into the Production FMC. You can use the imported configuration to set up an Access Control Policy to apply to the FTD device. Now to the caveats and limitation of what ASA configuration parameters the tool converts. Here is a list of what ASA configurations the tool supports:  Extended access rules  Twice NAT statements  Object NAT statements  Network objects/groups and service objects/groups that are associated with extended access rules and NAT statements which the tool coverts Here is a list of the tool’s limitations:  It migrates only ASA configurations. It does not migrate FirePOWER services configuration, these policies will have to be migrated manually.  It can support up to 2000000 total access rules, if there is more ACEs than what is stipulated then the migration will fail.  It will migrate ACLs that are applied to interfaces only. You can check on which ACLs are applied to interfaces by running a ‘show run access- group’ command.  The tool only coverts objects that are used in ACLs that are applied to interfaces and NAT statements migrated. It does not migrated objects alone.
  • 8.  It does not migrate EtherType or WebType ACLs, ACEs that use host address name aliases (defined by the ‘name’ command), and ACEs that use default service objects.  It will covert, but disable ACEs that include the following: time-range objects, Fully-qualified domain names (FQDN), Local users or user groups, Security group (SGT) objects, and Nested service groups for both source and destination ports. It disables these rules since FTD does not have an equivalent functionality for these parameters. For a disabled rule, you can edit it to meet supported FTD configuration. As you can see the FTD migration tool will aid you in migrating an existing ASA configuration to an FTD deployment. Keep in mind that it will not convert everything in the ASA configuration and there will be at some manual migration, but the tool will save you some time and provide you with a good starting point for your migration! Info from https://egroupcloud.com/migrating-asa-ftd/ More Related How to Connect the DC Adapter for the ASA 5506H-X? Cisco ASA with FirePower Services vs. FTD How to Deploy the Cisco ASA FirePOWER Services in the Internet Edge, VPN Scenarios and Data Center? The Most Common NGFW Deployment Scenarios Migrate from the Cisco ASA5505 to Cisco ASA5506X Series Migration to Cisco NGFW Cisco ASA with Firepower Services, Setup Guide-Part1 Cisco ASA with Firepower Services, Setup Guide-Part2 Cisco ASA with Firepower Services, Setup Guide-Part3 Cisco ASA with Firepower Services, Setup Guide-Part4 How to Recover the Password for Your ASA?