For this post, we will be discussing migrating an ASA with FirePOWER services to a Firepower Threat Defense (FTD) image on an ASA 5506-X appliance. At a high level, you reimage the ASA unit with a FTD then use the migration tool (if you have an existing ASA configuration) to import the ASA configuration into the new FTD configuration.

Let’s start with some of the pre-requirements for the re-image process. First, backup the ASA configuration along with the ASA, ASDM, and FirePOWER software. You can do this with a full backup through the ASA ASDM or CLI. Also, backup any license files or keys you may have for the ASA and make sure the ASA’s ROMMON version is 1.1.8 or greater (if not then upgrade it). Secondly, download the FTD boot image and install package software (the file names will vary depending on ASA model). Lastly, make sure you have console access to your ASA unit.

Now let’s go through the ASA to FTD re-image process. You can refer to this link from Cisco for details of this process and I will refer back to it throughout this blog: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html.

Step 1: Reboot the ASA and get into the ROMMON prompt. You can break into ROMMON by pressing ESC when prompted to during the reboot.

Step 2: Setup a TFTP server on your laptop or LAN then while in ROMMON, configure the ASA interface with an IP address that is accessible by the TFTP server.  You will use this to load the FTD boot image into the ASA unit.  The interface you configure does vary depending on the ASA model, so check the link in the beginning of the section for details.

For this lab, I’m using an ASA 5506-X so it will not allow me to choose an interface. All interface configuration is applied to the management interface. Also, the TFTP server is on my laptop so I set the gateway as the same as the TFTP server address.

Commands in ROMMON to run at this step:

  • rommon #0> address <ip address>
  • rommon #1> server <tftp server IP address>
  • rommon #2> gateway <gateway IP address>
  • rommon #3> file <boot image file name>
  • rommon #4> set

Step 3: Once the interface is configured, make sure you can ping the TFTP server to verify network connectivity then download the FTD boot image.

Commands in ROMMON to run at this step:

  • rommon #5> sync
  • rommon #6> tftpdnld

 After the ‘tftpdnld’ command is ran the FTD boot image will download and reboot the ASA into the FTD Boot CLI

Step 4: Setup an HTTP or FTP server on your laptop or network for to install the FTD systems install package to the ASA. In the FTD boot CLI, run the ‘setup’ command and it step you through configuring network settings for the install.

Step 5: Once the ASA’s network settings is configured then install the system image using the ‘system install’ command.

Commands for this step:

system install [noconfirm] http://<ip address of tftp server>/<ftd system image file name>

The noconfirm allows you not to respond to confirmation messages from during the install.

The install can take some time so grab a cup of coffee and be prepared to wait. Once the install is done, the ASA will reboot and bring up the FTD CLI prompt.

You have now re-imaged an ASA unit with a FTD image. At this point you can log into the on-box management GUI, Firepower Device Manager (FDM), or you can add the ASA to the Firepower Management Center (FMC) as you would normally add a Firepower device. For this blog, I will be using FDM to manage FTD.

Lastly, let’s confirm we can log into the FDM portal. By default, FTD assigns the management interface for the ASA unit with an IP address of 192.168.45.45 and has DHCP server enabled on it. You can plug your laptop into the management port and receive an IP address on that subnet.

Browse to https://192.168.45.45 and log into FDM with the default username and password, admin/Admin123.

After you log into FDM, you will be prompted to change the password and accept the EULA. It will then run you through a wizard for initial configuration.

For the last part of this blog, we will look (at high-level overview) into the ASA to FTD configuration migration tool. If you have an existing ASA configuration that you need to migrated to FTD, you can use this tool to help migrate some of the ASA configuration to FTD. There are some caveats to this and we will discuss them in a moment after we go over the migration process.

For the configuration migration, you will first want to back up the ASA configuration file in a .cfg or .txt format first then make sure the ASA code level is at least on 9.1 version and ASDM on version 7.1. The migration tool is a feature you enable on a Firepower Management Console (FMC) VM, which should not be a Production FMC since it only allows to use the migration tool features. If it is done a production VM, the FMC will require a re-image to be able to in order to un-install the migration tool. Make sure the migration tool is the same major and minor release as the production FMC that you will import the configuration into. For example, if your FMC is running 6.2.0.2 then the version of FMC that the migration tool is running on needs to be 6.2.0.2 as well. You will then run the ASA configuration file through migration tool and download the .sfo file, then import that into the Production FMC. You can use the imported configuration to set up an Access Control Policy to apply to the FTD device.

Now to the caveats and limitation of what ASA configuration parameters the tool converts. Here is a list of what ASA configurations the tool supports:

  • Extended access rules
  • Twice NAT statements
  • Object NAT statements
  • Network objects/groups and service objects/groups that are associated with extended access rules and NAT statements which the tool coverts

Here is a list of the tool’s limitations:

  • It migrates only ASA configurations. It does not migrate FirePOWER services configuration, these policies will have to be migrated manually.
  • It can support up to 2000000 total access rules, if there is more ACEs than what is stipulated then the migration will fail.
  • It will migrate ACLs that are applied to interfaces only. You can check on which ACLs are applied to interfaces by running a ‘show run access-group’ command.
  • The tool only coverts objects that are used in ACLs that are applied to interfaces and NAT statements migrated. It does not migrated objects alone.
  • It does not migrate EtherType or WebType ACLs, ACEs that use host address name aliases (defined by the ‘name’ command), and ACEs that use default service objects.
  • It will covert, but disable ACEs that include the following: time-range objects, Fully-qualified domain names (FQDN), Local users or user groups, Security group (SGT) objects, and Nested service groups for both source and destination ports. It disables these rules since FTD does not have an equivalent functionality for these parameters. For a disabled rule, you can edit it to meet supported FTD configuration.

As you can see the FTD migration tool will aid you in migrating an existing ASA configuration to an FTD deployment. Keep in mind that it will not convert everything in the ASA configuration and there will be at some manual migration, but the tool will save you some time and provide you with a good starting point for your migration!

 

source: egroupcloud.com

R1
—————–
(config)#crypto pki certificate map CAMP 1
#issuer-name co talebi

(config)# default crypto ikev2 proposal
(config)# crypto ikev2 proposal default
# encryption aes-cbc-256
# integrity sha256
# group 14

(config)# default crypto ikev2 policy

(config)# crypto ikev2 profile IKEV2-Profile
# identity local dn
# match certificate CMAP
# authentication remote rsa-sig
# authentication local rsa-sig
# pki trustpoint Trusted-cA
# virtual-template 1

(config)# default crypto ipsec transform-set

(config)# crypto ipsec transform-set default esp-gcm 256

(config)# default crypto ipsec profile
(config)# crypto ipsec profile default
(config)# set ikev2-profile IKEV2-Profile
(config)# interface virtual-template 1 type tunnel
#ip unnumbered loop 0
#tunnel source eth0/0
#tunnel mode ipsec ipv4
#tunnel protection ipsec profile default
#ip ospf 1 area 0

R2
—————–
(config)#crypto pki certificate map CAMP 1
#issuer-name co talebi

(config)# default crypto ikev2 proposal
(config)# crypto ikev2 proposal default
# encryption aes-cbc-256
# integrity sha256
# group 14

(config)# default crypto ikev2 policy

(config)# crypto ikev2 profile IKEV2-Profile
# identity local dn
# match certificate CMAP
# authentication remote rsa-sig
# authentication local rsa-sig
# pki trustpoint Trusted-cA

(config)# default crypto ipsec transform-set

(config)# crypto ipsec transform-set default esp-gcm 256

(config)# default crypto ipsec profile
(config)# crypto ipsec profile default
(config)# set ikev2-profile IKEV2-Profile

(config)# interface Tunnel0
#ip unnumbered loop 0
#tunnel source eth0/0
#tunnel destination 15.0.0.1
#tunnel mode ipsec ipv4
#tunnel protection ipsec profile default
#ip ospf 1 area 0

Verify your tunnel
—————-
#show crypto engine connections active
#show crypto ikev2 sa

Troubleshooting

—————-

show crypto ikev2 stats
show crypto ikev2 stats exchange
show crypto ikev2 proposal
show crypto ipsec profile
show crypto ipsec sa
show crypto session

-Proposal ==>Dephi Helman Group – Encryption – Integrity
-Policy
-Profile (match), (keyring)

show crypto ikev2 proposal default
show crypto ikev2 policy default
show crypto ikev2 transform-set default
show crypto ipsec profile default

Changing the default proposal

(config)# crypto ikev2 proposal default
(config-ikev2-proposal)# encryption aes-cbc-256
(config-ikev2-proposal)# integrity sha256
(config-ikev2-proposal)# group 2

revert back the default proposal
(config)# default crypto ikev2 proposal

R1–>25.0.0.1
——————–

(config)# crypto ikev2 proposal default
(config-ikev2-proposal)# encryption aes-cbc-256
(config-ikev2-proposal)# integrity sha256
(config-ikev2-proposal)# group 2

(config)# crypto ikev2 keyring Our-keys
# peers R2
# address 25.0.0.2
# identity address 25.0.0.2
# pre-shared-key local cisco123
# pre-shared-key remote cisco 123

(config)# crypto ikev2 profile default
# match identity remote address 25.0.0.2
# identity local address 25.0.0.1
# authentication local pre-share
# authentication remote pre-share
# keyring local Our-keys
# lifetime 7200

(config)# crypto ipsec transform-set default esp-gcm 256

(config)# crypto ipsec profile default
#set pfs group20

(config)# int tunnel 5
#tunnel mode ipsec ipv4
#ip unnumbered loop 0
# tunnel source e0/0
# tunnel destination 25.0.0.2
# tunnel protection ipsec profile default

R2–>25.0.0.2
——————–

(config)# crypto ikev2 proposal default
(config-ikev2-proposal)# encryption aes-cbc-256
(config-ikev2-proposal)# integrity sha256
(config-ikev2-proposal)# group 2

(config)# crypto ikev2 keyring Our-keys
# peers R1
# address 25.0.0.1
# identity address 25.0.0.1
# pre-shared-key local cisco123
# pre-shared-key remote cisco 123

(config)# crypto ikev2 profile default
# match identity remote address 25.0.0.1
# identity local address 25.0.0.2
# authentication local pre-share
# authentication remote pre-share
# keyring local Our-keys
# lifetime 7200

(config)# crypto ipsec transform-set default esp-gcm 256

(config)# crypto ipsec profile default
#set pfs group20

(config)# int tunnel 5
#tunnel mode ipsec ipv4
#ip unnumbered loop 0
# tunnel source e0/0
# tunnel destination 25.0.0.1
# tunnel protection ipsec profile default

FlexVPN = IKEV2 + NGE(Next Generation Encryption)
IKEV1 = phase 1 => negotiate
phase 2 => IPSec Tunnel

IKEV2 => Initial neogtiation + IPSec Tunnel
=> proposals, key ring, policy, profile

#show crypto ikev2 proposal default
#show crypto ikev2 policy default

(config)# crypto ikev2 keyring HRT-keyring
peer container1
address 192.168.10.2
identity fqdn r2.test.local
pre-shared-key local cisco
pre-shared-key remote cisco123

(config)# crypto ikev2 profile HRT-profile
match identity remote fqdn r2.test.local
identity local fqdn r1.test.local
authentication local pre-share
authentication remote pre-share
keyring local HRT-keyring

(config)# crypto ipsec profile default
# set ikev2-profile HRT-profile

(config)# int tunnel 3
# tunnel source gi0/0
# tunnel destination 192.168.10.2
# tunnel mode ipsec ipv4
# tunnel protection ipsec profile default


(config)# crypto ikev2 keyring HRT-keyring
peer container1
address 192.168.10.1
identity fqdn r1.test.local
pre-shared-key local cisco123
pre-shared-key remote cisco

(config)# crypto ikev2 profile HRT-profile
match identity remote fqdn r1.test.local
identity local fqdn r2.test.local
authentication local pre-share
authentication remote pre-share
keyring local HRT-keyring

(config)# crypto ipsec profile default
# set ikev2-profile HRT-profile

(config)# int tunnel 3
# tunnel source gi0/0
# tunnel destination 192.168.10.1
# tunnel mode ipsec ipv4
# tunnel protection ipsec profile default

 

#show crypto ikev2 sa

#show crypto engine active connections

Branches with Static VTI
Hub : Dynamic VTI
– ISAKMP Profile
– Key ring with PSKs
– Virtual Template

R1(Hub)

(config)# crypto isakmp policy 1
(config-isakmp)# encr aes 192
(config-isakmp)# authentication pre-share
(config-isakmp)# group 5

(config)# crypto keyring HRT-PSKS
(config-keyrings)# pre-shared-key address 0.0.0.0(remote IP or all) key cisco123

(config)# crypto ipsec transform-set HRT-SET esp-aes 128 esp-md5-hmac

(config)# crypto ipsec profile HRT-IPSEC-PROFILE
(ipsec-profile)# set transform-set HRT-SET

(config)# interface virtual-template 1 type tunnel
(config-if)#tunnel mode ipsec ipv4
(config-if)#tunnel protection ipsec profile HRT-IPSEC-PROFILE

//if the address is 25.0.0.2 then use this template 1
(config)# crypto isakmp profile OUR-IKE-PROFILE
(config-isa-pro)# match identity address 25.0.0.2 255.255.255.255 (0.0.0.0 anything can connect)
(config-isa-pro)#virtual-template 1
(config-isa-pro)#keyring HRT-PSKS

R2 (branch-spoke)
——-
SVTI
(config)# crypto isakmp policy 1
(config-isakmp)# encr aes 192
(config-isakmp)# authentication pre-share
(config-isakmp)# group 5

(config)#crypto isakmp key cisco123 address 0.0.0.0

(config)#crypto ipsec tranform-set HRT esp-aes 128 esp-md5-hmac

(config)#crypto ipsec profile HRT-IPSEC-PROFILE
(ipsec-profile)# set transform-set HRT-SET

(config)#int tunnel 1
(config-if)# tunnel source serial 1/0
(config-if)# tunnel destination 15.0.0.1
(config-if)# tunnel mode ipsec ipv4
(config-if)# tunnel protection ipsec profile HRT-IPSEC-PROFILE

R1

(config)#crypto ipsec tranform-set HRT esp-aes 256 esp-sha-hmac
(cfg-crypto-trans)# mode tunnel

(config)#crypto ipsec profile P2P-PROFILE
(ipsec-profile)# set transform-set HRT

(config)#crypto isakmp policy 15
#encr aes 256
#authentication pre-share
#group 14
(config)#crypto isakmp key cisco123 address 0.0.0.0

(config)#int tunnel 1
(config-if)# tunnel source serial 1/0
(config-if)# tunnel destination 35.0.0.3
(config-if)# tunnel mode ipsec ipv4
(config-if)# tunnel protection ipsec profile P2P-PROFILE

R2

(config)#crypto ipsec tranform-set HRT esp-aes 256 esp-sha-hmac
(cfg-crypto-trans)# mode tunnel

(config)#crypto ipsec profile P2P-PROFILE
(ipsec-profile)# set transform-set HRT

(config)#crypto isakmp policy 15
#encr aes 256
#authentication pre-share
#group 14
(config)#crypto isakmp key cisco123 address 0.0.0.0

(config)#int tunnel 1
(config-if)# tunnel source serial 1/0
(config-if)# tunnel destination 15.0.0.1
(config-if)# tunnel mode ipsec ipv4
(config-if)# tunnel protection ipsec profile P2P-PROFILE

DMVPN IKE Call Admission Control
– To mitigate attack IKE Phase 1 Negotiation

CAC protection
-In Negotiation limit
-SA limit

# show crypto call admission statistics
(config)# crypto call admission limit ike sa 2
(config)# crypto call admission limit ike in-negotiation-sa 10


R1
int tunnel 0
tunnel source gi1/0
tunnel destination mode gre multipoint
tunnel key HRT //should be the same
ip nhrp network-id 1 //should be the same
ip nhrp authentication cisco123 //should be the same
ip nhrp map multicast dynamic
ip nhrp shortcut //phase 3
ip nhrp redirect //phase 3 – we write it in the server
ip address 172.16.0.1 255.255.255.0
tunnel path-mtu-discovery
ip tcp adjust-mss 1360

R2
int tunnel 0
tunnel mode gre multipoint
tunnel source gi 1/0
tunnel key HRT
ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp shortcut
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1 //Gre interface then IP interface
ip nhrp map multicast 15.0.0.1
ip address 172.16.0.2 255.255.255.0
ip tcp adjust-mss 1360

R3
int tunnel 0
tunnel mode gre multipoint
tunnel source gi 1/0
tunnel key HRT
ip nhrp network-id 1
ip nhrp authentication cisco123
ip nhrp shortcut
ip nhrp nhs 172.16.0.1
ip nhrp map 172.16.0.1 15.0.0.1 //Gre interface then IP interface
ip nhrp map multicast 15.0.0.1
ip address 172.16.0.3 255.255.255.0
ip tcp adjust-mss 1360

 

Configuring  IPSEC on Each router

R1
————————-
(config)# crypto isakmp policy 5
(config-isakmp)# hash sha
(config-isakmp)# authentication pre-share
(config-isakmp)# group 14
(config-isakmp)# lifetime 86400
(config-isakmp)# encryption aes 256

(config)#crypto isakmp key cisco123 address …..(your device)
(config)#crypto ipsec transform-set OUTSET esp-aes 256 esp-sha-hmac
(cfg-crypto-trans)# mode transport

(config)#crypto ipsec profile OUR_IPSEC_PROFILE
(ipsec-profile)# set transform-set OURSET

(config)#int tunnel 0
(config-if)# tunnel protection ipsec profile OUR_IPSEC_PROFILE

show dmvpn
show crypto isakmp sa detail
show dmvpn peer nbma …..(IP Peer) detail

Troubleshooting

show run int tunnel 0
debug crypto isakmp // debug phase 1
show crypto isakmp policy
show crypto isakmp key
show crypto engine connections active
show dmvpn detail

Configure the Network Settings

  1. On the Sourcefire3D login prompt, use these credentials to log in:For version 5.x
    • Username: admin
    • Password: Sourcefire

    For version 6.x and later

    • Username: admin
    • Password: Admin123

    Tip: You will be able to change the default password in the initial setup process in the GUI.

  2. Initial configuration of the network is done with a script. You need to run the script as a root user. In order to switch to the root user, enter the sudo su – command along with the password Sourcefire or Admin123 (for 6.x).  Exercise caution when logged into the Management Center command line as a root user.
    admin@Sourcefire3D:~$ sudo su -
    Password:
  3. In order to begin the network configuration, enter the configure-network script as root.

    You will be asked to provide a Management IP Address, netmask, and default gateway. Once you confirm the settings, the network service restarts. As a result, the management interface goes  down and then comes back.

Perform Initial Setup

  1. After the network settings are configured, open a web browser and browse to the configured IP via HTTPS (https://192.0.2.2 in this example).  Authenticate the default SSL certificate if prompted. Use these credentials in order to log in:

    For version 5.x

    • Username: admin
    • Password: Sourcefire

    For version 6.x and later

    • Username: admin
    • Password: Admin123
  2. On the screen that follows, all of the GUI configuration sections are optional except for the password change and acceptance of the terms of service.  If the information is known, it is recommended to use the setup wizard in order to simplify the initial configuration of the Management Center. Once configured, click Apply in order to apply the configuration to the Management Center and registered devices.  A brief overview of the configuration options is as follows:
    • Change Password:  Allows you to change the password for the default admin account.  It is required to change the password.
    • Network Settings:  Allows you to modify the previously configured IPv4 and IPv6 network settings for the management interface of the appliance or virtual machine.
    • Time Settings:  It is recommended that you sync the Management Center with a reliable NTP source. The IPS sensors can be configured through system policy to synchronize their time with the Management Center.  Optionally, the time and display time zone can be set manually.
    • Recurring Rule Update Imports:  Enable recurring Snort rule updates and optionally install now during the initial setup.
    • Recurring Geolocation Updates:  Enable recurring geolocation rule updates and optionally install now during the initial setup.
    • Automatic Backups:  Schedule automatic configuration backups.
    • License Settings:  Add the feature license.
    • Device Registration:  Allows you to add, license, and apply initial access control policies to preregistered devices.  The hostname/IP address and registration key should match the IP address and registration key configured on the FirePOWER IPS module.
    • End User License Agreement:  Acceptance of the EULA is required.

  • Source : cisco.com

Simply make a batch file in windows and read from your excel file then convert the your datasheet to fortigate rules. In this code, I converted the excel file with 5 columns to the fortigate policy.

My Excel File:

any,any,ctldl.windowsupdate.com,80/443,Test1
any,any,microsoft.com,80,Test2
any,any,crl.microsoft.com,80,Test3
any,any,ssl.google-analytics.com,443,Test4

My Batch file:

@echo off
setlocal ENABLEDELAYEDEXPANSION

>output-configuration-policy.txt (
echo:config firewall policy
set /a Counter=1

for /f “tokens=1-5 delims=,” %%A IN (C:\Users\rules.txt) DO (

echo edit !counter!
echo set name %%E
echo set srcintf vlan910-1135
echo set dstintf vlan1000-1135
echo set srcaddr %%A
echo set dstaddr %%C
echo set action accept
echo set service “HTTPS” “HTTP”
echo set schedule “always”
echo set logtraffic all
set /a counter=!Counter! + 1
echo next

)

:end
echo:end
)

I have added counter to count from 1 to number of your rules.