Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Migrating ASA Firewall to Firepower Threat Defense with the Firepower Migration Tool

Chapter Title

Migration Tool FAQs

Results

Updated:
November 15, 2021

Chapter: Migration Tool FAQs

Migration Tool FAQs

Firepower Migration Tool Frequently Asked Questions

Q. 

What are the new features supported on the Firepower Migration Tool for Release 2.5?

A. 

The following features are supported with release 2.5:

  • ACL Optimization

  • Wildcard mask

Q. 

What are the new features supported on the Firepower Migration Tool for Release 2.4?

A. 

The following ASA VPN configuration migration to Firepower Threat Defense (FTD):

  • Crypto map (static/dynamic) based VPN from ASA

  • Route-based (VTI) ASA VPN

  • Certificate-based VPN migration from ASA

Q. 

What are the new features supported on the Firepower Migration Tool for Release 2.3.5?

A. 

The following features are supported with release 2.3.5:

  • Virtual Tunnel Interface (VTI) and related configurations in Static routes, ACL.

  • Route-based (VTI) VPN tunnels

Q. 

What are the new features supported on the Firepower Migration Tool for Release 2.3.4?

A. 

The following features are supported with release 2.3.4:

  • VPN Objects

  • Site-to-Site VPN Tunnels

Q. 

What are the source and target platforms that the Firepower Migration Tool can migrate policy?

A. 

The Firepower Migration Tool can migrate policies from supported ASA platform to FTD platform. For more information, see Supported Source ASA Platforms.

Q. 

What are the tasks that you must perform in the Pre-Migration and Post-Migration Reports?

A. 

To perform the tasks as part of your plan for migrating from ASA to Firepower Threat Defense, see Migrating ASA to Firepower Threat Defense 2100 - An Example.

Q. 

What are the supported destination platforms versions?

A. 

You can use the Firepower Migration Tool to migrate an ASA configuration to the standalone or container instance of the Firepower Threat Defense platforms for FMC 6.2.3 or later. For more information on the list of supported devices, see Supported Target Firepower Threat Defense Platforms.

Q. 

What are the features the Firepower Migration Tool supports for migration?

A. 

The Firepower Migration Tool supports migration of L3/L4 ASA configuration to FTD. It also allows enabling L7 features like IPS, file policy, and so on, during the migration process.

The Firepower Migration Tool can fully migrate the following ASA configurations:

  • Network objects and groups (except discontiguous masks)

  • Service objects, except for those service objects configured for a source and destination


    Note
    Though the Firepower Migration Tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.

  • Service object groups, except for nested service object groups,VPN objects, and ASA crypto map VPN migration


    Note
    Since nesting is not supported on the Firepower Management Center, the Firepower Migration Tool expands the content of the referenced rules. The rules however, are migrated with full functionality.

  • IPv4 and IPv6 FQDN objects and groups

  • IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

  • Access rules that are applied to interfaces in the inbound direction and global ACL

  • Auto NAT, Manual NAT, and object NAT (conditional)

  • Static routes, except for those configured with the track option which are partially migrated and ECMP routes which are not migrated

  • Physical interfaces

  • Subinterfaces

  • Port channels

  • Bridge groups (transparent mode only)

  • Tunneling protocol-based access control policy rules (migrated as Prefilter tunnel rules)

  • Category-based rule for CSM managed configurations

  • IP SLA Monitor

  • Object Group Search

  • Time-based Objects

  • VPN objects

  • VTI interfaces

  • Policy-based (Crypto Map) and Route-based (VTI) VPN tunnels

  • Certificate-based VPN migration from ASA to FTD

Q. 

What are the new features supported on the Firepower Migration Tool for Release 2.2?

A. 

The following features are supported with release 2.2:

  • Object Group Search

  • IP SLA Monitor

  • Time-based Objects

Q. 

What are the new features supported on the Firepower Migration Tool for Release 2.0?

A. 

The following features are supported with release 2.0:

  • Destination Zone mapping for Access Rules

  • Prefilter tunnel rules

  • Category-based rules

  • Policy Limit and Capacity Warning

  • ASA 5505 and ASA-SM migration support

Q. 

Is there any dependency on FMC to use the new features introduced in the Firepower Migration Tool?

A. 

Yes. The following features are supported with target FMC 6.5 and later:

  • Migrate tunnel Rules as Prefilter

  • Category-based rules

  • ASA 5505 Migration


    Note
    Requires FMC version 6.5 and later to migrate to target FTD FPR-1010 platform.

The following features are supported with target FMC 6.6 and later:

  • Object Group Search

  • IP SLA Monitor

  • Time-based Objects

  • VPN Objects

  • Site-to-Site VPN Tunnels

The following features are supported with target FMC 6.7 and later:

  • VTI interface and the related static routes.

  • Route-based (VTI) Pre-Shared Key authentication type VPN configuration to Firepower Management Center.

  • Create routed security zone, add VTI interfaces, and then define access control rules for the decrypted traffic control over VTI tunnel.

Q. 

Can we migrate all the access rules in the source configuration to the Prefilter policy?

A. 

No. For migrations that are opted with Migrate Tunnel rules as Prefilter, the Firepower Migration Tool identifies tunneling protocol-based access rules and migrates them as tunnel rules.

Q. 

What are the features the Firepower Migration Tool does not migrate today?

A. 

The Firepower Migration Tool does not support the following ASA configurations for migration. If these configurations are supported in Firepower Management Center, you can configure them manually after the migration is complete.

  • SGT-based access control policy rules

  • SGT-based objects

  • User-based access control policy rules

  • NAT rules that are configured with the block allocation option

  • Objects with unsupported ICMP type and code

  • Tunneling protocol-based access control policy rules

  • NAT rules that are configured with SCTP

  • NAT rules that are configured with host ‘0.0.0.0’

  • Tunneling protocol-based access control policy rules (supported from Firepower Migration Tool 2.0 with target FMC 6.5 and later)

  • Dynamic Crypto map based VPN

  • Certificate authentication based VPN configuration

For more information, see Guidelines and Limitations for ASA Configurations.

Q. 

What are the supported source devices and code version?

A. 

You can use the Firepower Migration Tool to migrate the configuration from single or multi-context ASA platforms (software version 8.4 or later). For more information on the list of devices, see Supported Source ASA Platforms.

Q. 

Does the Firepower Migration Tool support migration of multi-context ASA?

A. 

Yes. The Firepower Migration Tool can handle migration of multi-context ASA. At any given point in time, one can migrate one context of the ASA (except for System context) to either FTD container or native instances on the target FMC.

Q. 

What is the support mechanism if there are migration errors?

A. 

The Firepower Migration Tool is integrated with Cisco Success Network. If there are errors or issues, contact Cisco TAC. For troubleshooting, see Troubleshooting Migration Issues.

Q. 

How much time does the Firepower Migration Tool take to successfully migrate a configuration?

A. 

The time that is taken during migration depends on numerous factors like latency on network, load on FMC, config size, number of objects, ACL, and so on. In internal testing, it was observed that a config file of 2.0 MB with 7000+ Access Control List, 7000+ NAT Translations, and 3000+ Network Objects takes around 6 minutes to successfully complete the migration.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco