topic Re: FP1010 topology in Network Security

FP1010 topology

lcaruso — Fri, 09 Dec 2022 21:02:11 GMT

After mgmt connectivity issues, TAC provided that my FMCv had to be directly connected to the FP1010 as in the diagram below. Since no examples given, guessing the configuration for each port. From what I can tell, the FMC needs its own network separate from the Transit network which is connected to an internal router.

Here are my guesses. Advice and clarifications are appreciated.

Eth 1/1
Name Outside
Address DHCP
Routed
Zone Outside

Eth 1/2
Name Transit
Address Static 10.11.11.1
Routed
Zone Transit

Eth 1/4
Name FMCv
Address Static 10.22.22.1
Routed
No Zone

Eth 1/5
Name Mgmt
Address Static 192.168.45.2
Mgmt Only
Routed
No Zone

Managment 1/1
Name Mgmt
Address Static 192.168.45.1

Re: FP1010 topology

Rob Ingram — Fri, 09 Dec 2022 21:25:11 GMT

@lcaruso the FMC needs to be routable from the FTD, it doesn't need to be on the same network. It's easier to use the mgmt interface, change the IP address and gateway to match a vlan on your network. Establish ping connectivity and register the device to the FMC.

Here is a guide to troubleshoot registration to the FMC.

https://integratingit.wordpress.com/2018/10/20/ftd-registration-with-fmc/

Re: FP1010 topology

balaji.bandi — Fri, 09 Dec 2022 21:31:07 GMT

Same document look for next diagram - Figure 4. Cabling the Firepower 1010

This means FMCv can be anywhere not required to be in the same VLAN, as long IP has reachability (no FW between - can be FW but some ports are required to Open to connect).

when you setup FTD, make sure you select managed FMC .

https://www.youtube.com/watch?v=v_uZ9GbICBk

https://www.youtube.com/watch?v=hbX4J2tZiyU

Re: FP1010 topology

lcaruso — Fri, 09 Dec 2022 21:35:09 GMT

Thanks, Rob for your input. I believe what you are describing is the same or close to what I had originally, but FTD could not resolve DNS even though DNS was configured. TAC spent three hours looking at this and concluded the FMCv had to be directly connected.

Re: FP1010 topology

Rob Ingram — Fri, 09 Dec 2022 21:40:15 GMT

@lcaruso you don't need to use dns, you can just use IP.

Can you ping the gateway from the FTD? Can you ping the FMC from the FTD?

Did you take a tcpdump as per the link I provided?

Re: FP1010 topology

lcaruso — Fri, 09 Dec 2022 21:43:17 GMT

Rob, the dns issue was seen with a critical health status for FTD not being able to connect like this

FTD01:/home/ldap/abbac# curl -v -k https://api-sse.cisco.com
* Rebuilt URL to: https://api-sse.cisco.com/
* getaddrinfo(3) failed for api-sse.cisco.com:443
* Couldn't resolve host 'api-sse.cisco.com'
* Closing connection 0
curl: (6) Couldn't resolve host 'api-sse.cisco.com'

Re: FP1010 topology

lcaruso — Fri, 09 Dec 2022 21:48:31 GMT

Hi @balaji.bandi thanks for your reply. I should have mentioned I had everything setup and working except FTD could not resolve DNS names and connect to the cloud. So FMCv was registered, inside traffic was passing fine, but FTD was critical status because of not being able to connect to the cloud. I did see that video you shared previously that is a good one, thanks.

balaji.bandi

Re: FP1010 topology

Rob Ingram — Fri, 09 Dec 2022 21:53:14 GMT

@lcaruso I assumed your issue was registering the ftd to the fmc. That screenshot would indicate you mean the ftd is unable to resolve a dns entry in order to access the Internet?

How does this relate to the fmc? Please provide more information on your issue.

Is it just this fqdn that is not resolvable?

Re: FP1010 topology

balaji.bandi — Fri, 09 Dec 2022 22:28:16 GMT

is that still issue has this been resolved?

Re: FP1010 topology

lcaruso — Fri, 09 Dec 2022 22:48:22 GMT

Not resolved yet because I am now redesigning the network to match the diagram that Cisco says I have to implement. I swapped in my backup firewall and need to connect FMCv directly and cable Management1/1 to Eth1/5 as in the diagram.

Re: FP1010 topology

lcaruso — Fri, 09 Dec 2022 22:54:17 GMT

Rob, the connectivity issue was FTD could not ping ip addresses eg 8.8.8.8 so that is why a critical error raised regarding the reachability of the cloud. I was told by TAC there is a separate FTD "policy" that manages FTD's network that I had not configured. Somehow TAC jumped from configuring that as a possible solution to these required topology changes with Management1/1 connected directly to Eth1/5 and FMCv connected directly to Eth1/4 per the FP1010 cabling diagram.

Re: FP1010 topology

Rob Ingram — Sat, 10 Dec 2022 20:12:08 GMT

@lcaruso isn't this 2 issues?

Please provide the actual screenshot of the critical error regarding reachability of the cloud, I assume it's displayed on the FMC? The FMC does normally communicate with api-sse.cisco.com - therefore the FMC would need internet access, so NAT and an Access Control rule to permit the traffic.

If you cannot even ping an IP address on the internet from the FTD itself, does this not indicate an actual fundamental network/routing issue? Can you ping the next hop IP address? Can devices behind the FTD access the internet?

On the FTD what interface are you pinging from? The Outside interface (ping 8.8.8.8) or mgmt interface (ping system 8.8.8.8). If your mgmt interface is connected to the internal LAN (with the switch as the next hop) then it is routed through the FTD, so you'd need NAT and an Access Control rule.

To configure the FTD to ping hostnames you need to configure DNS in the Platform Settings policy.