A. 

The Firepower Migration Tool can migrate policies from supported ASA platform to FTD platform. For more information, see Supported Source ASA Platforms.

A. 

To perform the tasks as part of your plan for migrating from ASA to Firepower Threat Defense, see Plan for Migration.

A. 

You can use the Migration Tool to migrate an ASA configuration to the standalone or container instance of the Firepower Threat Defense platforms for FMC 6.2.3 or later. For more information on the list of supported devices, see Supported Target Firepower Threat Defense Platforms.

A. 

The Migration Tool supports migration of L3/L4 ASA configuration to FTD. It also allows enabling L7 features like IPS, file policy, and so on. during the migration process.

The Migration Tool can fully migrate the following ASA configurations:

• Network objects and groups (except discontiguous masks)

• Service objects, except for those service objects configured for a source and destination

  Note	Though the tool does not migrate extended service objects (configured for a source and destination), referenced ACL and NAT rules are migrated with full functionality.

• Service object groups, except for nested service object groups

  Note	Since nesting is not supported on the Firepower Management Center, the Migration Tool expands the content of the referenced rules. The rules however, are migrated with full functionality.

• IPv4 and IPv6 FQDN objects and groups

• IPv6 conversion support (Interface, Static Routes, Objects, ACL, and NAT)

• Access rules that are applied to interfaces in the inbound direction and global ACL

• Auto NAT, Manual NAT, and object NAT (conditional)

• Static routes, except for those configured with the track option which are partially migrated and ECMP routes which are not migrated

• Physical interfaces

• Subinterfaces

• Port channels

• Bridge groups (transparent mode only)

A. 

The Migration Tool does not support the following ASA configurations for migration. If these configurations are supported in Firepower Management Center, you can configure them manually after the migration is complete.

• Time-based access control policy rules

• SGT-based access control policy rules

• SGT-based objects

• User-based access control policy rules

• NAT rules that are configured with the block allocation option

• Objects with unsupported ICMP type and code

• Tunneling protocol-based access control policy rules

• NAT rules that are configured with SCTP

• NAT rules that are configured with host ‘0.0.0.0’

For more information, see Guidelines and Limitations for ASA Configurations.

A. 

You can use the Migration Tool to migrate the configuration from single or multi-context ASA platforms (software version 8.4 and above). For more information on the list of devices, see Supported Source ASA Platforms.

A. 

Yes. The Migration Tool can handle migration of Multi-Context ASA. At any given point in time, one can migrate one context of the ASA (except for System context) to either FTD container or native instances on the target FMC.

A. 

The Migration Tool is integrated with Cisco Success Network. In case of errors or issues, contact Cisco TAC. For troubleshooting, see Troubleshooting Migration Issues.

A. 

Yes. The Migration Tool with version 1.3 and above supports Rest API for orchestrating various jobs.

A. 

The time taken during migration depends on numerous factors like latency on network, load on FMC, config size, number of objects, ACL, and so on. In internal testing, it was observed that a config file of 2.0 MB with 7000+ Access Control List, 7000+ NAT Translations, and 3000+ Network Objects takes around 6 minutes to successfully complete the migration.