cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


651
Views
20
Helpful
7
Replies
Beginner

Connect FTD to FMC with NAT at both sides?

Hi

 

I'm currently building a proof of concept for our firepower implementation and i've run into some confusion regarding NAT and FMC

 

I am testing the following set up:

 

FTD at remote site is behind a single public IP

FMC is at the central site behind an FTD with a single public IP

 

I want to NAT the traffic twice, and forward through the correct ports (we only have a single public IP for each site). Is this configuration supported? 

 

Does anyone have any additional details about the NAT ID setting? It's not documented in that much detail ... when joining the FMC to the FTD do I enter the public IP that will be natted? How does the FTD know where to send the traffic? How do I configure NAT on the remote site FTD when it is not yet joined to the FMC?

 

Thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Connect FTD to FMC with NAT at both sides?

Is it an internet circuit you will be using or a P2P link?

Assuming its an internet circuit, the cleanest way of the configuring it would be a router, with a small switch to connect the inside router interface, FW outside and FW mgmt, this is what I've used in the past. There are other clunky and probably unsupported ways of pre-configuring the FTD.

If it's a P2P link (as per your diagram) you'd just need a switch as both end's would be on the same network.

7 REPLIES 7
Highlighted

Re: Connect FTD to FMC with NAT at both sides?

Yes I would be glad to give you all the information that I have ran into with this issue.  Bottom line is that FTD at a remote site will not function like the ASA/FirePower at a remote site without preconfiguring locally.  Personally due to the fact that if something happens to the unit you may not be able to support that remote location remotely.  Cisco suggested that we buy yet another piece of equipment(router) for the remote site so this would function.  Absolutely crazy.

 

That said, they are working on a solution that works similar to the ASA/FirePower but I cannot say when if this will happen.  I know sales will tell you that this certainly works and field engineers will support them but there is enough documentation that we gave to TAC showing that it will not function the same.  I do like FTD for the most part(we are running a 2110 locally) but I elected to reimage my ASA's with ASA/FirePower for my remote locationsl.  If you need to links I could do some looking to show you others that too discovered what we did.  

 

Best of luck and just reimage for now IMO.

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Connect FTD to FMC with NAT at both sides?

Hi,
You will need to create a static NAT of the firewall in front of the FMC, to nat tcp/8305 to the private IP address of the FMC.

On the FTD when configuring the manager, use a natid. E.g "configure manager add <public nat ip of fmc> <registration key> <natid>".

When registering the device on the FMC, the IP address you'd enter is the private (real) ip address of the FTD, in the "Unique NAT ID:" box enter the natid configured on the FTD.

HTH
Beginner

Re: Connect FTD to FMC with NAT at both sides?

Thanks for the replies

 

Please see attached a quick diagram of my lab topology

 

Topo.JPG

 

FTD1 is joined to the FMC successfully. I have configured a NAT rule and firewall rule on FTD1 to allow incoming connections to the FMC on FTD1's WAN IP (1.1.1.1) on port 8305 and 443 (for testing). I can access the FMC's web interface at https://1.1.1.1 via the PC behind FTD2 so I know this is working properly.

 

I then tried to join FTD2 to the FMC. I configured it with local management and set the interface IPs and enabled the default inside to outside NAT rule.

 

I executed the following command from the CLI of FTD2:

 

configure manager add 1.1.1.1 Key123 NATFW2

 

Then see the attached screenshot of my configuration to add FTD2 to the FMC.

FMC Join Behind NAT.JPG

Unfortunately the join fails with the following error "Could not establish a connection to the device"

 

Is this setup supported? If we can't have the remote FTD device behind NAT i'm not sure we can implement firepower, which would be a massive problem because ASA is extremely challenging to manage with many sites (in my opinion)

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Connect FTD to FMC with NAT at both sides?

You won't be able to route to 1.1.1.1 if the mgmt interface is on 10.2.0.0 network and plugged into the inside network. Put the Mgmt and Outside interfaces in 1.1.1.x network, they can then reach the address 1.1.1.1
Beginner

Re: Connect FTD to FMC with NAT at both sides?

Ah ok, I can do that in a lab, but in production i'd need to put a router in front of the FTD? That's disappointing as I was hoping to implement with as little hardware as possible for simplicity and cost savings.

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Connect FTD to FMC with NAT at both sides?

Is it an internet circuit you will be using or a P2P link?

Assuming its an internet circuit, the cleanest way of the configuring it would be a router, with a small switch to connect the inside router interface, FW outside and FW mgmt, this is what I've used in the past. There are other clunky and probably unsupported ways of pre-configuring the FTD.

If it's a P2P link (as per your diagram) you'd just need a switch as both end's would be on the same network.

Beginner

Re: Connect FTD to FMC with NAT at both sides?

Thanks for your help, I guess there's 3 options as I see it, with an internet circuit (as it would be in production, lab was using p2p for simplicity's sake):

1 - Install router in front of FTD and use this to NAT the traffic (e.g. Cisco 892 or 861)
2 - Assuming there are multiple public IPs available, connect a switch and give management interface a public IP - security risk?
3 - Some kind of preconfiguration workaround (either temporarily assigning public IP to management interface on site, or add to FTD when in central site with FMC and apply basic configuration with management interface NAT-ed behind outisde interface)

I'll test some more and think about what to do :)