topic Re: FTD to remote FMC? in Network Security

FTD to remote FMC?

ipv6x — Tue, 20 Sep 2022 13:44:24 GMT

Hello

I know this question is questioned a lot, but i need help to understand the steps and configuration.

FMC ----> FTD-HQ -----> WAN ------> FTD-Remote

I need to understand the procedure.

1--> FMC_REAL_IP ----> FMC_NAT

2--> i need to configure mgmt inter on remote FTD with Public ip?

3--> how to configure NAT on cli in FTD remote?

Regards,

Re: FTD to remote FMC?

Alan Inman — Thu, 22 Sep 2022 13:12:29 GMT

Nice diagram @ipv6x. There is a LOT of moving parts in this. @keithcclark71 just did one of these, maybe he can shed some light on the process. I'll double back around and provide some documentation.

Re: FTD to remote FMC?

keithcclark71 — Fri, 23 Sep 2022 15:41:21 GMT

Hey ipv6 here is a quick write up on what I did

FMC---->ASAPUBIP-----PUBIPFTD--->LAN
1) On ASA STATIC NAT SOURCE FMC Service TCP\8305
2) ACE Outside Interface Source (Public IP Object for FTD) Destination FMC (Internal IP) Service TCP\8305
3)I staged FTD on same subnet over management interface by registering to the FMC on same subnet and configuring. So ex:
a)FTD configure network ipv4 192.168.2.10 255.255.255.0 192.168.2.1 DNS 8.8.8.8
b)Configure manager add 192.168.2.20 cisco123
4)Assigned ACP through registration and created NAT policy which is very important to apply to the FTD also prior to deploying to remote site. The reason is for me at least the only way I could get this to work was while staging the FTDon same subnet with FMC I had to de-register the FTD from the FMC prior to deploying to remote. The deregistration process leaves your Interface assigned IP's in place but removes the zones ACP and NAT it seems is also left in place so that once you get to remote you have internet access based on the applied dynamic nat inside to outside that was applied prior to deregistration.
5)I then changed management interface to an Ip address I would use on the remote subnet I was deploying to.
6) Consoled in then i configure network management-data by inputting the public IP address assignment for the remote FTD
7) Once I was at remote location with FTD I verified I could get internet then i consoled into the FTD and registered over the wan through 8305 which is being Nat'd through the headend ASA to the internal FMC for which will bring up 8305 once initiator requests to register (In this case the FTD is initiator) at this point you could expert cli on the FMC cli and do a netstat -na | grep 8305 to see established connection or if failing you could open up ASDM logging and filter by Pub IP of the FTD you are trying to register to the FMC with to see if getting FINS and issues and at least seeing that the remote FTD is getting to the ASA. If you didnt see traffic in the ASAlogs while registering the remote ftd then obviously issue down the line.
😎I was able to register from remote site doing configure manager add PUBIPOFASAINFRONTOFFMC cisco123 natid1239)One thing you also should keep in mind of is after running the above registration command that when you do this from the FMC side make sure you actually use natid123 for the nat field for registration and not 123. This screwed me up so bad and costed me so much time as this field being called natid sound like all you need is the ID number and not the entire string.

I could not find a way to stage my FTD completely and plug into the remote site without having to deregister from the FTD and reregistering over the WAN

Re: FTD to remote FMC?

ipv6x — Thu, 29 Sep 2022 14:34:12 GMT

Hi @keithcclark71

I share my lab so we can understand better.

the part from HQ is configure and i can catch from internet router FMC NAT IP.

But my problem is the branch FTD, how to configure default route to internet router so i can catch FMC NAT?

I have try to configure also management-data-interface like this:

configure network management-data-interface ipv4 manual 11.9.10.2 255.255.255.240 default-gw 11.9.10.3 interface eth0.

Error: The Interface: eth0 is not configured with remote management.

i need to test here before i try on the production.

Regards,

Re: FTD to remote FMC?

keithcclark71 — Thu, 29 Sep 2022 20:01:37 GMT

On FTD run

1 )Configure management-data-interface (Hit Enter at this point)
2)Type ethernet1/1 (This is the interface you want to configure) after typing ethernet1/1 hit enter which will prompt you through the remaining steps for you to enter your Public Ip info
3)11.9.10.2
4)255.255.255.240
5)11.9.10.3
6) 8.8.8.8 , 8.8.4.4 (Comma seperated list of DNS servers)

Step 2 Ex: Firewall in front of FMC Public IP address 98.75.65.40 (Has NAT established for service port tcp/8305 to inside FMC management IP address say 192.168.2.10)

From FTD CLI
Configure manager add 98.75.65.40 cisco123 natid123

Step 3

FMC add device
11.9.10.2
cisco123
natid123
(Select Tier of FMC if running 7.2 version)
(Asign to ACP and Licenses)

If your NAT is good then the FTD should be able to establish the connection using tcp\8305 with the internal FMC behind the NAT'd firewall 98.75.65.40 tcp\8305 ----> 192.168.2.10 FMC which will bring up as an established connection and allow for registration.

you can check FTD expert mode netstat -na | grep 8305 to see if connection established or on firewall in front of FMC bring up logging and filter by initiator IP address 11.9.10.2 to see if firewall in front of FMC sees it and determine any errors if there are some such as not putting the correct tcp\8305 port in your NAT statement etc

Re: FTD to remote FMC?

ipv6x — Mon, 03 Oct 2022 13:44:22 GMT

I tryed:
Configure management-date-interface but nothing happened, I try to hit enter but nothing happened. On the HQ work everything but in the Branch nothing. see the photos.

Re: FTD to remote FMC?

keithcclark71 — Tue, 04 Oct 2022 12:51:16 GMT

try configure network management-data-interface

Re: FTD to remote FMC?

ipv6x — Wed, 07 Dec 2022 14:36:55 GMT

I have successfully register remote FTD to FMC.

But my problem now is to change the mgmt interface from Public ip to Private IP without loosing FMC registration.