簡介
本文檔介紹自適應安全裝置(ASA)到FPR4145上的Firepower威脅防禦(FTD)遷移的示例。
必要條件
需求
思科建議您瞭解以下主題:
- ASA基礎知識
- 瞭解Firepower管理中心(FMC)和FTD
採用元件
本文中的資訊係根據以下軟體和硬體版本:
- ASA版本9.12(2)
- FTD版本6.7.0
- FMC版本6.7.0
- Firepower遷移工具2.5.0版
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
背景資訊
以或格式匯出ASA.cfg
配置.txt
檔案。FMC必須部署在其下註冊的FTD。
設定
1.從software.cisco.com下載Firepower遷移工具,如下圖所示。
![Cisco Software Download Page - FMT](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-00.png)
2.檢視並驗證Firepower遷移工具部分的要求。
3.如果計畫遷移大型配置檔案,請配置休眠設定,以便系統在遷移推送期間不進入休眠狀態。
3.1.對於Windows,導航到「控制面板」中的電源選項。按一下當前電源計畫旁邊的Change Plan Settings,然後將Put the computer to sleep切換為Never。 按一下「Save Changes」。
3.2.對於MAC,請導航至系統首選項>節能程式。 勾選「Prevent the Computer from Reading Automatically when the display is off(顯示器關閉時防止電腦自動休眠)」旁邊的框,然後將「Turn Display Off after(在滑動條後關閉顯示器)」拖到「Never(從不)」。
注意:當MAC使用者嘗試開啟下載的檔案時,此警告對話方塊將彈出。 忽略此問題並遵循步驟4.1。
![Warning Pop Up on MAC](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-01.png)
4.1.對於MAC — 使用terminal並運行以下命令:
![MAC Terminal Commands](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-02.png)
![MAC Terminal Output](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-03.png)
4.2.對於Windows — 按兩下Firepower遷移工具,以便在Google Chrome瀏覽器中啟動該工具。
5.接受許可證,如下圖所示:
![End User License Agreement - FMT](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-04.png)
6.在Firepower遷移工具的登入頁面上,按一下使用Cisco Connection Online(CCO)連結登入,以便使用單點登入憑證登入到Cisco.com帳戶。
註意:如果您沒有Cisco.com帳戶,請在Cisco.com登入頁面上建立。使用以下預設憑據登入:使用者名稱 — admin和密碼 — Admin123。
![Redirection to Cisco Login Page](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-05.png)
7.選擇來源配置。在此方案中,它是Cisco ASA(8.4+)。
![Source Firewall Vendor Dropdown](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-06.png)
8.如果您沒有到ASA的連線,請選擇Manual Upload。否則,您可以從ASA檢索運行配置,並輸入管理IP和登入詳細資訊。 在此案例中,已執行手動上傳。
![Extracting ASA Configuration](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-07.png)
註:如果檔案不受支援,則會出現此錯誤。 確保將格式更改為純文字檔案。(儘管具有擴展,但仍會出現.cfg
錯誤。)
![File Type Warning](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-08.png)
![ASA Configuration File (.cfg file type)](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-09.png)
9.上傳檔案後,系統會分析元素,提供摘要,如下圖所示:
![Summary of the Parsed Configuration](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-10.png)
10.輸入要將ASA配置遷移到的FMC IP和登入憑證。確保可從工作站訪問FMC IP。
![Connect to FMC](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-11.png)
![FMC Login Credentials](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-12.png)
11.連線FMC後,其下方的託管FTD會顯示。
![FTDs Managed under FMC](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-13.png)
12.選擇要執行ASA配置遷移到的FTD。
![Target FTD Selection](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-14.png)
註:建議選擇FTD裝置,否則介面、路由和站點到站點VPN配置必須手動完成。
![FTD Device Selection Recommendation](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-15.png)
13.選擇需要遷移的功能,如下圖所示:
![Features Available for Migration](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-16.png)
14.選擇開始轉換,以啟動預遷移,預遷移將填充與FTD配置有關的要素。
![Pre-Migration Selection](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-17.png)
15.按一下Download Report(先前出現),檢視遷移前報告,如下圖所示:
![Pre-Migration Report](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-18.png)
16.根據需要將ASA介面對映到FTD介面,如下圖所示:
![Mapping Interfaces](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-19.png)
17.將安全區域和介面組分配給FTD介面。
![Assigning Security Zone and Interface Groups](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-20.png)
17.1.如果FMC已建立安全區域和介面組,則可以根據需要選擇它們:
![Selecting Existing Security Zone](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-21.png)
17.2.如果需要建立安全區域和介面組,請按一下Add SZ & IG,如下圖所示:
![Creating New Security Zone and Interface Groups](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-22.png)
17.3.否則,您可以繼續使用Auto-Create選項,該選項將分別建立名為ASA logical interface_sz和ASA logical interface_ig的安全區域和介面組。
![Auto-Create for New Security Zone and Interface Groups](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-23.png)
![Mapping Security Zone and Interface Groups](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-24.png)
18.審查並驗證所建立的每個FTD要素。 警報以紅色顯示,如下圖所示:
![Review and Validate the FTD Elements](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-25.png)
19.如果要編輯任何規則,可以選擇遷移操作,如下圖所示。在此步驟中,可以完成新增檔案和IPS策略的FTD功能。
![Additional Actions](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-26.png)
註:如果FMC中已存在檔案策略,則會填充它們,如下圖所示。對於IPS策略以及預設策略,情況也是如此。
![File Policy Selection](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-27.png)
可以完成所需規則的日誌配置。在此階段,可以選擇FMC上現有的Syslog伺服器配置。
![Logging Configuration](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-28.png)
所選擇的規則操作會針對每個規則相應加亮。
![Rule Action Highlights](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-29.png)
20.同樣,根據您的配置,可以逐步檢視網路地址轉換(NAT)、網路對象、埠對象、介面、路由、VPN對象、站點到站點VPN隧道和其他元素。
注意:通知警報(如圖所示),以便更新預共用金鑰,因為它不會複製到ASA配置檔案中。導覽至Actions > Update Pre-Shared Key以輸入值。
![Updating Pre-Shared Key](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-30.png)
![Entering Pre-Shared Key](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-31.png)
21.最後,按一下螢幕右下角的Validate圖示,如下圖所示:
![Validate Icon](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-32.png)
22.驗證成功後,按一下Push Configuration,如下圖所示:
![Validation Status](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-33.png)
![Push in Progress](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-34.png)
![Push in Progress](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-35.png)
23.遷移成功後,圖中顯示的資訊。
![Migration Completion](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-36.png)
注意:如果遷移失敗,請按一下Download Report以檢視Post-migration報告。
![Report Download](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-37.png)
驗證
使用本節內容,確認您的組態是否正常運作。
FMC驗證:
- 導覽至
Policies > Access Control > Access Control Policy > Policy Assignment
,以確認已填充選取的FTD。
![ACP Assignment to FTD on FMC](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-38.png)
注意:遷移訪問控制策略具有帶字首的名稱FTD-Mig-ACP
。 如果之前未選擇FTD,則必須在FMC上選擇FTD。
2.將策略推送到FTD。導覽至Deploy > Deployment > FTD Name > Deploy
如下圖所示:
![Pushing the Deployment](/c/dam/en/us/support/docs/security/adaptive-security-appliance-asa-software/217668-configure-ftd-from-asa-configuration-fil-39.png)
與Firepower遷移工具相關的已知錯誤
相關資訊