So, I have been working through my project and came across an interesting problem.  If a site does not have a backup vpn solution, you are forced to register the FTD device through its own access control policy, nat, route, etc., using the NAT ID feature.  

The problem is, if you registered it at a local site with a different IP address (management IP address on FTD), than ship it out.  The site receives the devices and plugs everything, everything flows through FTD just fine.  But, now you need to change the management IP address (to reflect remote site network) to get it registered back to FMC.  

The problem is, I change the management IP address on FTD and FMC and couldn't get it re-registered.  So, reaching out to TAC, they said i would have to delete the previous registration and re-register it due to how FMC holds registrations.  They said it will not be a problem because FMC will pull the policy that is currently on FTD device and use that.  

So we did that.  HOWEVER, the FMC did pull the policy, but it when it re-applies (this is all automatic and you can't change this), it deletes the configuration while it is re-appling the same one it pulled from it.  But, once FMC gets to the NAT and routes being deleted, FMC can't finish re-deploying the policy because it broke itself and there is no connection possible back to FMC as it deleted its own NAT and routes.  We confirmed this by going in the back end way to the actual ASA code, NAT and route's were gone.  We did this twice.  

Therefore, TAC stated this is a oversight on this type of design and I will have to use a VPN.  

Ahh!!!!  

We actually managed this to work in the following way.

We are not changing mgt address of remote host. We actually created security zone called branch_mgt. Assigned interface to it and gave the ip address to that interface (lets call it IP address A). This address is the default gateway for branch FTD management  interface (lets call it ip address B). 

During the preconfig we assigned IP addr. B to management interface and set default gateway to ip addr A. This ip addr A was assigned to local switch vlan ABC to provide connectivity to FMC.

We also ensured that in VPN configuration both Branch Inside network and Branch management network were included in protected network section.

After we did preconfig we simply connect Branch FTD management interface to interface assigned to branch_mgt security zone

Yeah i can see that working, that makes sense.  As long as the management IP address doesn't change when you are using the FTD device as the path to connect to FMC I don't foresee this being a problem.

It still makes me nervous with registering a FTD management interface to FMC while using the FTD as its path.  I mean, would if the IP addresses need to change or someone screws up a route or NAT or something.  There is NO way to locally change it back on the FTD device to get it re-registered.  

I feel cisco should give us SOME local configuration options on FTD, but there are none.  

Thanks - Tony

Hi Tony,

I have tested the scenario you described and do not agree with TAC. I have got it working just fine without re-registering the device since that would cause the chicken-egg issue you have described.

Initially it did not work and FMC did not connect to sensor again but after changing the Host configuration at Device Management > [Sensor Name] > Devices > Management and restarting sftunnel processes via pmtool on CLI it re-connected just fine. (v. 6.1.0 build 330)

I will test this again and report back in more detail tommorow.

Really that is interesting, if I could get more information on this, that would good to know.  Also, how did you restart the 'sftunnel' process?  Or i think i found it:

- 

admin@FireSIGHT:~$ sudo pmtool restartbyid sftunnel

Some more features that I got working last night on FTD, worked without issue.  I did have to get into the actual ASA cli on the FTD, do some show commands to verify what I was pushing to it was actually being configured.  

- ospf

- about 12 sub-interfaces (customer wanted router on a stick)

- dhcprelay on each inside interface

After another test I have found that a restart of the sftunnel process is not neccessary, I just had to give FMC some time to reconnect to the sensor.

Here is how I tested the change of IP:

1. Register sensor with FQDN sensor.example.com

2. Configure FTD data interfaces (mgmt [10.0.0.1] and outside [1.1.1.1]) and configure PAT for TCP/8305 from outside to sensor management IP 10.0.0.100

3. Relocate sensor and change management ip address to 10.0.0.100. Set default-gateway to FTD data interface mgmt [10.0.0.1].

4. Change DNS A record for sensor.example.com to outside [1.1.1.1]

5. Wait for ~10min

6. Verify sftunnel connect via netstat -a and deploy configuration again to verify connectivity is working correctly between sensor and fmc.

Let me know if you have any questions.

We also could translate both source and destination addresses to solve the connectivity problem between FMC and sensor. This translation should be made on FMC and Sensor sites.

They will connect to each over using IP addresses as if they are not separated by NAT devices.

On FMC site:

FMC_Local -> Sensor_Local:8305 should be translated to FMC_Global -> Sensor_Global:8305

On Sensor site:

Sensor_Local:8305 -> FMC_Local should be translated to Sensor_Global:8305 -> FMC_Global