For this post, we will be discussing migrating an ASA with FirePOWER services to a Firepower Threat Defense (FTD) image on an ASA 5506-X appliance. At a high level, you reimage the ASA unit with a FTD then use the migration tool (if you have an existing ASA configuration) to import the ASA configuration into the new FTD configuration.
Let’s start with some of the pre-requirements for the re-image process. First, backup the ASA configuration along with the ASA, ASDM, and FirePOWER software. You can do this with a full backup through the ASA ASDM or CLI. Also, backup any license files or keys you may have for the ASA and make sure the ASA’s ROMMON version is 1.1.8 or greater (if not then upgrade it). Secondly, download the FTD boot image and install package software (the file names will vary depending on ASA model). Lastly, make sure you have console access to your ASA unit.
Now let’s go through the ASA to FTD re-image process. You can refer to this link from Cisco for details of this process and I will refer back to it throughout this blog: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/reimage/asa-ftd-reimage.html.
Step 1: Reboot the ASA and get into the ROMMON prompt. You can break into ROMMON by pressing ESC when prompted to during the reboot.
Step 2: Setup a TFTP server on your laptop or LAN then while in ROMMON, configure the ASA interface with an IP address that is accessible by the TFTP server. You will use this to load the FTD boot image into the ASA unit. The interface you configure does vary depending on the ASA model, so check the link in the beginning of the section for details.
For this lab, I’m using an ASA 5506-X so it will not allow me to choose an interface. All interface configuration is applied to the management interface. Also, the TFTP server is on my laptop so I set the gateway as the same as the TFTP server address.
Commands in ROMMON to run at this step:
- rommon #0> address <ip address>
- rommon #1> server <tftp server IP address>
- rommon #2> gateway <gateway IP address>
- rommon #3> file <boot image file name>
- rommon #4> set
Step 3: Once the interface is configured, make sure you can ping the TFTP server to verify network connectivity then download the FTD boot image.
Commands in ROMMON to run at this step:
- rommon #5> sync
- rommon #6> tftpdnld
After the ‘tftpdnld’ command is ran the FTD boot image will download and reboot the ASA into the FTD Boot CLI
Step 4: Setup an HTTP or FTP server on your laptop or network for to install the FTD systems install package to the ASA. In the FTD boot CLI, run the ‘setup’ command and it step you through configuring network settings for the install.
Step 5: Once the ASA’s network settings is configured then install the system image using the ‘system install’ command.
Commands for this step:
system install [noconfirm] http://<ip address of tftp server>/<ftd system image file name>
The noconfirm allows you not to respond to confirmation messages from during the install.
The install can take some time so grab a cup of coffee and be prepared to wait. Once the install is done, the ASA will reboot and bring up the FTD CLI prompt.
You have now re-imaged an ASA unit with a FTD image. At this point you can log into the on-box management GUI, Firepower Device Manager (FDM), or you can add the ASA to the Firepower Management Center (FMC) as you would normally add a Firepower device. For this blog, I will be using FDM to manage FTD.
Lastly, let’s confirm we can log into the FDM portal. By default, FTD assigns the management interface for the ASA unit with an IP address of 192.168.45.45 and has DHCP server enabled on it. You can plug your laptop into the management port and receive an IP address on that subnet.
Browse to https://192.168.45.45 and log into FDM with the default username and password, admin/Admin123.
After you log into FDM, you will be prompted to change the password and accept the EULA. It will then run you through a wizard for initial configuration.
For the last part of this blog, we will look (at high-level overview) into the ASA to FTD configuration migration tool. If you have an existing ASA configuration that you need to migrated to FTD, you can use this tool to help migrate some of the ASA configuration to FTD. There are some caveats to this and we will discuss them in a moment after we go over the migration process.
For the configuration migration, you will first want to back up the ASA configuration file in a .cfg or .txt format first then make sure the ASA code level is at least on 9.1 version and ASDM on version 7.1. The migration tool is a feature you enable on a Firepower Management Console (FMC) VM, which should not be a Production FMC since it only allows to use the migration tool features. If it is done a production VM, the FMC will require a re-image to be able to in order to un-install the migration tool. Make sure the migration tool is the same major and minor release as the production FMC that you will import the configuration into. For example, if your FMC is running 6.2.0.2 then the version of FMC that the migration tool is running on needs to be 6.2.0.2 as well. You will then run the ASA configuration file through migration tool and download the .sfo file, then import that into the Production FMC. You can use the imported configuration to set up an Access Control Policy to apply to the FTD device.
Now to the caveats and limitation of what ASA configuration parameters the tool converts. Here is a list of what ASA configurations the tool supports:
- Extended access rules
- Twice NAT statements
- Object NAT statements
- Network objects/groups and service objects/groups that are associated with extended access rules and NAT statements which the tool coverts
Here is a list of the tool’s limitations:
- It migrates only ASA configurations. It does not migrate FirePOWER services configuration, these policies will have to be migrated manually.
- It can support up to 2000000 total access rules, if there is more ACEs than what is stipulated then the migration will fail.
- It will migrate ACLs that are applied to interfaces only. You can check on which ACLs are applied to interfaces by running a ‘show run access-group’ command.
- The tool only coverts objects that are used in ACLs that are applied to interfaces and NAT statements migrated. It does not migrated objects alone.
- It does not migrate EtherType or WebType ACLs, ACEs that use host address name aliases (defined by the ‘name’ command), and ACEs that use default service objects.
- It will covert, but disable ACEs that include the following: time-range objects, Fully-qualified domain names (FQDN), Local users or user groups, Security group (SGT) objects, and Nested service groups for both source and destination ports. It disables these rules since FTD does not have an equivalent functionality for these parameters. For a disabled rule, you can edit it to meet supported FTD configuration.
As you can see the FTD migration tool will aid you in migrating an existing ASA configuration to an FTD deployment. Keep in mind that it will not convert everything in the ASA configuration and there will be at some manual migration, but the tool will save you some time and provide you with a good starting point for your migration!
source: egroupcloud.com