09-14-2019 01:10 AM - edited 02-21-2020 09:29 AM
I have a set up of a switch, ASA 5545, Cisco FMC and some servers.
---Workstations---->Access Switch---->Cisco ASA---->Servers
The FMC is used to manage the sfr module of the ASA.
At the moments workstations on the access switch have access to the servers but cannot access the FMC because the FMC is in management vlan of the ASA.
How do I configure the FMC such that workstations can have web access to the FMC?
Kindly assist me on this.
Thanks.
I attached the topology.
Solved! Go to Solution.
09-16-2019 08:12 PM
You need to change your network design to put the FMC somewhere else.
As long as it is in the management subnet and that subnet does not have external connectivity, you will not be able to reach it from any device not on that subnet.
09-14-2019 01:32 AM
It's not an FMC configuration but rather an ASA configuration. Traffic coming through the ASA will normally see the management subnet as "connected" and thus think the best route to reach it is via the ASA management interface. However management interface traffic is not allowed to transit an ASA by design.
If you put a more specific static route (and associated ACL entry) in the ASA, you will be able to reach the host(s) like the FMC in the management subnet.
Is there a L2 switch or router on the inside that you can use to route the management subnet traffic into and out of the ASA?
09-14-2019 04:15 AM
Thanks Rhoads.
There is neither a L2 switch switch nor router in the inside for this purpose.
Also all the workstations have their gateway on the outside interface of the gateway
There is only an access switch and the ASA.
09-14-2019 05:21 AM
Rhoads,
The management vlan is 172.29.0.0/24.Server vlan is 172.30.225.0/24.
Is it possible to configure eth0 interface of FMC in management vlan and use it for management traffic of the sfr;
configure eth1 interface of FMC in the server vlan and use it for event traffic of the sfr
and then access via FMC GUI via the server vlan? Is this achievable?
See the attached.
09-14-2019 07:02 AM
No, you cannot do that.
The FMC doesn't need to be in the same subnet as the Firepower service module though. It can be in the server subnet and manage the service module just as easily.
09-14-2019 05:27 PM
Alright, If it is server vlan, how can it reach/ping the sfr module in the management vlan?
Or the sfr doesn't need to be in management vlan?
Kindly shed more light?
09-14-2019 07:39 PM
The sfr module does need to be in the same subnet as the ASA's physical management interface.
The FMC managing it can be in any subnet that has bidirectional connectivity via tcp/8305.
Your management subnet MUST have connectivity to the FMC - it can either be on the same subnet or somewhere else - provided that any other location is accessible. If you've put everything in the management subnet and not connected that subnet to anything outside the ASA; then you will only ever be able to reach the FMC if your client PC is on that same subnet.
09-16-2019 11:42 AM
Thanks Rhoads.
If I have to place the FMC in another vlan (server vlan), how do I establish connectivity to the management vlan as the routing table for the management vlan is different?
09-16-2019 08:12 PM
You need to change your network design to put the FMC somewhere else.
As long as it is in the management subnet and that subnet does not have external connectivity, you will not be able to reach it from any device not on that subnet.
09-26-2019 12:32 PM
Hi Rhoads,
Thanks for you help.
I just had to dedicate a workstation to be in the management vlan in order to manage the FMC just as you advised.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide