Guidelines and Limitations

Note
Configurations that are not supported in CDO will be dropped during migration as Unsupported and will be reported in the Migration Report.

Feature or Function Name

What Can be Migrated

Restrictions or Limitations of Migration

Firewall Modes

Routed firewall mode

Transparent mode configurations cannot be migrated.

Interface Configurations

  • Physical interfaces

  • Subinterfaces

  • The FTD must have equal or more physical interfaces than the ASA interface configurations being migrated.

  • Subinterfaces (subinterface ID will always be set to the same number as the VLAN ID on migration)

  • The following interface configurations will not be migrated to FTD:

    • Secondary VLANs on ASA interfaces

    • Redundant Interface

    • Bridge Group Interface

    • Virtual Tunnel Interface
EtherChanels

EtherChannels configured on physical interfaces.

The member interfaces mapped to EtherChanels are retained during migration.

  • Before migrating the configurations, you must create the equivalent number of EtherChannels on the FTD device using CDO. See "Add an EtherChannel Interface for Firepower Threat Defense."

  • Can only be migrated to configurations of FTD 1000 or 2100 series hardware devices: 1010, 1120, 1140,1150, 2110, 2120, 2130, 2140.

  • You can migrate EtherChannel configurations from ASA 8.4+ to FTD version 6.5+.

  • The EtherChannels created on the FTD before migration must be of the same type as the EtherChannel being migrated.

    CDO will only migrate Etherchannel to EtherChannel and physical interface to physical interface.

  • Member interfaces mapped to EtherChannels in the FTD template will not be available to users during Interface mapping step of the migration wizard. However, they are retained and migrated to their assigned EtherChannels.
Routing

Static routes

  • When there are multiple static routes with the same network as destination, only one route with minimum metric value is migrated and others are dropped.

  • The following route features will not be migrated to FTD:

    • Tunneled routes

    • Null 0 interface routes

    • Static routes with SLA track

Access Control Rules (ACLs)

  • Enabled Access Control Rules

  • Source and destination objects

  • CDO supports actions like Allow, Trust, and Block for FTD. During the migration, permit and deny actions in the source ASA configuration are handled and are mapped to the supported action for FTD on CDO.

  • CDO supports migration of ACLs attached to a policy, interface, or an access group without an IP protocol.

  • ACE with unencrypted L3 Tunnel protocols

The following ACL features will not be migrated to FTD:

  • CDO and FDM do not support ACL with IPv4 and IPv6 mixed protocols

  • Logging severity-level information

  • Inactive or disabled rules

  • ACE with service object or service group having non-TCP, UDP, or ICMP protocols

  • ACE with non-TCP or UDP service objects

  • Non-TCP or UDP protocol in ACE with inline objects

  • ACEs with Time-range

  • Access list not mapped with access group

Network Address Translation (NAT) Rules

  • Network Object (Auto) and twice (Manual) NAT or PAT

  • Static NAT

  • Dynamic NAT or PAT

  • Identity NAT

  • Source Port (service) Translation

The following NAT rules features will not be migrated to FTD:

  • PAT pool

  • Unidirectional

  • Inactive

  • With Twice NAT, the use of destination service objects for destination port (service) translation (including service objects that have both the source and destination)

  • Destination port translation

  • NAT46, NAT64

Note

CDO does not support network object with 0.0.0.0/32.

Service Objects and Service Group Objects

Service Objects and Nested Groups

See Supported Protocols on CDO for the list of protocols used in services objects that CDO supports.

  • The protocols, BCC-RCC-MON, and BBN-RCC-MON, are not supported.

  • Operators like less than, greater than, and not equal to, are not supported.

  • Object-group nesting

Network Objects and Network Group Objects

Network Objects and Network Group Objects

The following network object or network group are unsupported:

  • Discontinuous Mask Based

  • IP address starting with first octet ‘0’ in IPv4 address

ICMP Types

ICMP Types

The following ICMP types are unsupported:

  • ICMP–based service object entries with INVALID ICMP type or/and code

  • Service–type or ICMP–type object without code for ICMPv4 or ICMPv6 type

  • Any unassigned ICMP type (as per IANA) or Invalid ICMP type

Miscellaneous Unsupported Objects

 -

The following miscellaneous objects are unsupported:

  • SGT–based Network Object-Group

  • User–based Network Object-Group

Site-to-Site VPN

  • Phase 1 and Phase 2 proposals for both IKEv1 and IKEv2

  • Perfect Forward Secrecy (PFS) for both IKEv1 and IKEv2

  • Crypto Access List with Nested Object-Group

  • Crypto Map with multiple peer IPs

  • Both IKEv1 and IKEv2 used for a tunnel in Crypto Map

The following Site-to-Site VPN features are not supported:

  • VPN-Filter

  • vpn-idle-timeout

  • isakmp keepalive threshold 10 retry 10

  • Crypto Map VPNMAP 200 set security-association lifetime seconds 360

  • set security-association lifetime kilobytes unlimited

  • set security-association lifetime seconds 3600

  • Certificate Authentication

  • Dynamic Crypto Map

  • Route–based VPN (virtual tunnel interface)

Note
Remote Access VPN is completely unsupported.

For more information on Guidelines and Limitations, see Guidelines and Limitations for ASA Configurations and Guidelines and Limitations for Firepower Threat Defense Devices.