Solved: Re: Cisco FMC cannot be reached because it's in management vlan

segwizz · ‎09-14-2019

I have a set up of a switch, ASA 5545, Cisco FMC and some servers.

---Workstations---->Access Switch---->Cisco ASA---->Servers

The FMC is used to manage the sfr module of the ASA.

At the moments workstations on the access switch have access to the servers but cannot access the FMC because the FMC is in management vlan of the ASA.

How do I configure the FMC such that workstations can have web access to the FMC?

Kindly assist me on this.

Thanks.

I attached the topology.

Marvin Rhoads · ‎09-16-2019

You need to change your network design to put the FMC somewhere else.

As long as it is in the management subnet and that subnet does not have external connectivity, you will not be able to reach it from any device not on that subnet.

View solution in original post

Marvin Rhoads · ‎09-14-2019

It's not an FMC configuration but rather an ASA configuration. Traffic coming through the ASA will normally see the management subnet as "connected" and thus think the best route to reach it is via the ASA management interface. However management interface traffic is not allowed to transit an ASA by design.

If you put a more specific static route (and associated ACL entry) in the ASA, you will be able to reach the host(s) like the FMC in the management subnet.

Is there a L2 switch or router on the inside that you can use to route the management subnet traffic into and out of the ASA?

segwizz · ‎09-14-2019

Thanks Rhoads.

There is neither a L2 switch switch nor router in the inside for this purpose.

Also all the workstations have their gateway on the outside interface of the gateway

There is only an access switch and the ASA.

segwizz · ‎09-14-2019

Rhoads,

The management vlan is 172.29.0.0/24.Server vlan is 172.30.225.0/24.

Is it possible to configure eth0 interface of FMC in management vlan and use it for management traffic of the sfr;

configure eth1 interface of FMC in the server vlan and use it for event traffic of the sfr

and then access via FMC GUI via the server vlan? Is this achievable?

See the attached.

Marvin Rhoads · ‎09-14-2019

No, you cannot do that.

The FMC doesn't need to be in the same subnet as the Firepower service module though. It can be in the server subnet and manage the service module just as easily.

segwizz · ‎09-14-2019

Alright, If it is server vlan, how can it reach/ping the sfr module in the management vlan?

Or the sfr doesn't need to be in management vlan?

Kindly shed more light?

Marvin Rhoads · ‎09-14-2019

The sfr module does need to be in the same subnet as the ASA's physical management interface.

The FMC managing it can be in any subnet that has bidirectional connectivity via tcp/8305.

Your management subnet MUST have connectivity to the FMC - it can either be on the same subnet or somewhere else - provided that any other location is accessible. If you've put everything in the management subnet and not connected that subnet to anything outside the ASA; then you will only ever be able to reach the FMC if your client PC is on that same subnet.

segwizz · ‎09-16-2019

Thanks Rhoads.

If I have to place the FMC in another vlan (server vlan), how do I establish connectivity to the management vlan as the routing table for the management vlan is different?

Marvin Rhoads · ‎09-16-2019

You need to change your network design to put the FMC somewhere else.

As long as it is in the management subnet and that subnet does not have external connectivity, you will not be able to reach it from any device not on that subnet.

segwizz · ‎09-26-2019

Hi Rhoads,

Thanks for you help.

I just had to dedicate a workstation to be in the management vlan in order to manage the FMC just as you advised.

Thanks again.