Solved: Re: Remote Deploy HA Pair FTD2110 using vFMC in cloud

meconomou · ‎02-14-2018

Our vFMC is in our cloud datacenter and we are installing 2 FTD2110's for HA at the clients site. Client currently has a Google Fiber router with 1 public IP available and NATs to a 192.168.1.0/24. I can assign a static internal IP for the outside interface on the FTD on Google's router and use port forwarding for connectivity, but can I use the same subnet for the management interface so it has internet access? Provided a high-level diagram for review as well. Also, the Sonicwall and 2 old firewalls will be decomm'd once this is up and working, so putting them behind the Sonicwall and using a S2SVPN for initial access has been discussed. That would require a reconfiguration of the FTD's and an outage which we are trying to avoid.

meconomou · ‎02-22-2018

Turns out the only way for this to work properly is to assign a separate public IP to the Mgmt port on the FTD2110's. Running the connectivity for the mgmt. port through your firewall inside/outside interfaces is too risky. If you push a firewall config that can break the connectivity to the mgmt. port, you're firewall is "dead in the water" until you go onsite and console back in. Some other engineers have expressed a complete config wipe has been necessary, and then starting back from scratch. Cisco is supposed to be working on a way to lock down the access to the mgmt. port if it has a public IP, but for now it is wide open to the public. Best solution: Don't use the new FTD firewalls if you cannot deploy a FMC behind it. They're not ready for remote deployments, so an ASA w/FP module is your best choice.

View solution in original post

Oliver Kaiser · ‎02-15-2018

You can configure the management interface to be in the same subnet as your outside interface. The management interface has its own routing table so you should not experience any issues in your scenario.

From a security standpoint I would try to avoid having my out of band management and outside network being the same, but since there is no direct access due to the PAT scenario its ok imo.

If you have any other questions let me know.

meconomou · ‎02-22-2018

Turns out the only way for this to work properly is to assign a separate public IP to the Mgmt port on the FTD2110's. Running the connectivity for the mgmt. port through your firewall inside/outside interfaces is too risky. If you push a firewall config that can break the connectivity to the mgmt. port, you're firewall is "dead in the water" until you go onsite and console back in. Some other engineers have expressed a complete config wipe has been necessary, and then starting back from scratch. Cisco is supposed to be working on a way to lock down the access to the mgmt. port if it has a public IP, but for now it is wide open to the public. Best solution: Don't use the new FTD firewalls if you cannot deploy a FMC behind it. They're not ready for remote deployments, so an ASA w/FP module is your best choice.

Oliver Kaiser · ‎02-22-2018

Is there a reason you could not use the 192.168.1.0/24 subnet for your management interfaces?The issue you detail is indeed true if the FTD device is the only routing instance at a remote site, but if there is another device to route your management network you wont get into any out of band connectivity issues.