cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

356
Views
0
Helpful
9
Replies
Beginner

Cisco FMC cannot be reached because it's in management vlan

I have a set up of a switch, ASA 5545, Cisco FMC and some servers.

---Workstations---->Access Switch---->Cisco ASA---->Servers

The FMC is used to manage the sfr module of the ASA.

At the moments workstations on the access switch have access to the servers but cannot access the FMC because the FMC is in management vlan of the ASA.

How do I configure the FMC such that workstations can have web access to the FMC?

Kindly assist me on this.

Thanks.

I attached the topology.

 

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Hall of Fame Master

Re: Cisco FMC cannot be reached because it's in management vlan

You need to change your network design to put the FMC somewhere else.

As long as it is in the management subnet and that subnet does not have external connectivity, you will not be able to reach it from any device not on that subnet.

9 REPLIES 9
Hall of Fame Master

Re: Cisco FMC cannot be reached because it's in management vlan

It's not an FMC configuration but rather an ASA configuration. Traffic coming through the ASA will normally see the management subnet as "connected" and thus think the best route to reach it is via the ASA management interface. However management interface traffic is not allowed to transit an ASA by design.

If you put a more specific static route (and associated ACL entry) in the ASA, you will be able to reach the host(s) like the FMC in the management subnet.

Is there a L2 switch or router on the inside that you can use to route the management subnet traffic into and out of the ASA?

Beginner

Re: Cisco FMC cannot be reached because it's in management vlan

Thanks Rhoads.

There is neither a L2 switch switch nor router in the inside for this purpose.

Also all the workstations have their gateway on the outside interface of the gateway

There is only an access switch and the ASA.

Beginner

Re: Cisco FMC cannot be reached because it's in management vlan

Rhoads,

The management vlan is 172.29.0.0/24.Server vlan is 172.30.225.0/24.

Is it possible to configure eth0 interface of FMC in management vlan and use it for management traffic of the sfr;

configure eth1 interface of FMC in the server vlan and use it for event traffic of the sfr

and then access via FMC GUI via the server vlan?  Is this achievable?

See the attached.

Hall of Fame Master

Re: Cisco FMC cannot be reached because it's in management vlan

No, you cannot do that.

The FMC doesn't need to be in the same subnet as the Firepower service module though. It can be in the server subnet and manage the service module just as easily.

Beginner

Re: Cisco FMC cannot be reached because it's in management vlan

Alright, If it is server vlan, how can it reach/ping the sfr module in the management vlan?

Or the sfr doesn't need to be in management vlan?

Kindly shed more light?

Hall of Fame Master

Re: Cisco FMC cannot be reached because it's in management vlan

The sfr module does need to be in the same subnet as the ASA's physical management interface.

The FMC managing it can be in any subnet that has bidirectional connectivity via tcp/8305.

Your management subnet MUST have connectivity to the FMC - it can either be on the same subnet or somewhere else - provided that any other location is accessible. If you've put everything in the management subnet and not connected that subnet to anything outside the ASA; then you will only ever be able to reach the FMC if your client PC is on that same subnet.

Beginner

Re: Cisco FMC cannot be reached because it's in management vlan

Thanks Rhoads.

If I have to place the FMC in another vlan (server vlan), how do I establish connectivity to the management vlan as the routing table for the management vlan is different?

 

Highlighted
Hall of Fame Master

Re: Cisco FMC cannot be reached because it's in management vlan

You need to change your network design to put the FMC somewhere else.

As long as it is in the management subnet and that subnet does not have external connectivity, you will not be able to reach it from any device not on that subnet.

Beginner

Re: Cisco FMC cannot be reached because it's in management vlan

Hi Rhoads,

 

Thanks for you help.

I just had to dedicate a workstation to be in the management vlan in order to manage  the FMC just as you advised.

Thanks again.