Skip to main content



Cisco Defense Orchestrator

Migrating an ASA Configuration to an FTD Template

CDO helps you migrate your Adaptive Security Appliance (ASA) to a Firepower Threat Defense (FTD) device. CDO provides a wizard to help you migrate these elements of the ASA's running configuration to an FTD template: 

  • Interfaces

  • Routes

  • Access Control Rules (ACLs)

  • Network Address Translation (NAT) rules

  • Network objects and network group objects

    • Note: CDO does not support object names with reserved keywords. Rename the object names by adding a suffix "ftdmig" to it.

  • Service objects and service group objects

  • Site-to-Site VPN

Note: Any unreferenced object or object-groups in the configuration will be dropped, and marked as unused during the migration.

Once these elements of the ASA running configuration have been migrated to an FTD template, you can then apply the FTD template to a new FTD device that is managed by CDO. The FTD device adopts the configurations defined in the template, and so, the FTD is now configured with some aspects of the ASA's running configuration.

Other elements of the ASA running configuration are not migrated using this process. Those other elements are represented in the FTD template by empty values. When the template is applied to an FTD, we apply values we migrated to the new FTD and ignore the empty values. Whatever other default values the new FTD has, it retains. Those other elements of the ASA running configuration that we did not migrate, will need to be recreated on the FTD outside the migration process.

See Migrating ASA to Firepower Threat Defense Using Cisco Defense Orchestrator for a full explanation of the process of migrating an ASA to an FTD using CDO.