topic Add FTD to FMC remotely in Network Security

Add FTD to FMC remotely

sanchezeldorado — Tue, 21 Sep 2021 23:26:52 GMT

Hello. I know I must be missing some small detail, but I've been unable to connect a firepower 1010 device on 6.6.1 to my FMC remotely. I've read so many different instructions from so many different versions/people, but the vast majority are suggesting that my firewall is behind a separate NAT device. My FMC is at my headquarters with an FTD at the edge. The FTD that I'm configuring has a static public IP address. My understanding is that the new version of FTD is supposed to automatically NAT through the outside interface with a nat-id to my HQ firewall. My HQ firewall has a NAT rule in place to forward the traffic to my FMC. When I tried configuring the remote FTD with a basic local config, I then added the FMC as a manager and it wiped out the interfaces. I'm sure that I'm not supposed to connect my management port directly to the internet, so does anyone have a good set of instructions on how this is supposed to be configured?

Thanks!

Andy

Re: Add FTD to FMC remotely

rhuysmans — Wed, 22 Sep 2021 01:13:45 GMT

Hi sanchezeldorado,

it's be helpful to see a diagram to position the FMC and FTD devices in relation to each other. Is the FTD the main firewall for the remote site?

Re: Add FTD to FMC remotely

sanchezeldorado — Wed, 22 Sep 2021 04:23:10 GMT

Re: Add FTD to FMC remotely

rhuysmans — Wed, 22 Sep 2021 06:31:52 GMT

Hi Andy,

there's probably a number of ways to get this configured but I would consider changing the management interface to the outside interface, eg ethernet1/1, using the CLI command :-

configure network management-data-interface client ip_address netmask

This will limit the connection to your FMC.

I'm not sure if your remote FTD has already registered with your FMC or if that's the part that's not working?

This document may be useful :-

https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-nw.html#ID-2242-000000c9

Re: Add FTD to FMC remotely

sanchezeldorado — Wed, 22 Sep 2021 17:01:42 GMT

Thank you for the document, it clarifies some things, and the command you mention sounds like what I need, but it isn't available. I have a firepower 1010 that I'm trying to setup from scratch, but for now, I'm using FTD and FMC in a CML lab environment to test. I have 4 other FTD firewalls configured successfully, but they are all reachable using the dedicated management port. That said, here's what I've done.

1. I boot up my vFTD and configure my management IP address with a private IP. The document you sent suggests that I set "data-interfaces" as the gateway, but it doesn't accept anything but an IP address. AFTER the IP address, it lets me specify the interface and it will take "data-interfaces" as a destination.

configure network ipv4 manual <private ip> 255.255.255.0 <private ip gateway> data-interfaces
Setting IPv4 network configuration.
Network settings changed.

2. I ran configure manager add <HQ firewall external IP> <regkey> <natid>

configure manager add <HQ external IP> <reg key> <nat-id>
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

3. "configure network managment-data-interface" is not an option.

> configure network
dns Configure DNS servers
hostname Set the hostname
http-proxy Configure HTTP Proxy settings
http-proxy-disable Disable HTTP Proxy settings
ipv4 Configure IPv4 networking
ipv6 Configure IPv6 networking
management-interface Change to Management Port Configuration Mode
management-port Change TCP port for management
mtu Configure Management and Eventing Interface MTU
static-routes Change to Static Route Configuration Mode

Re: Add FTD to FMC remotely

sanchezeldorado — Wed, 22 Sep 2021 17:37:18 GMT

Nevermind. Thank you for the input. The link was what I needed, but that command isn't available until version 6.7 and I'm on 6.6. I'll upgrade.