cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8082
Views
20
Helpful
9
Replies

Connect FTD to FMC with NAT at both sides?

btjtaylor1
Level 1
Level 1

Hi

 

I'm currently building a proof of concept for our firepower implementation and i've run into some confusion regarding NAT and FMC

 

I am testing the following set up:

 

FTD at remote site is behind a single public IP

FMC is at the central site behind an FTD with a single public IP

 

I want to NAT the traffic twice, and forward through the correct ports (we only have a single public IP for each site). Is this configuration supported? 

 

Does anyone have any additional details about the NAT ID setting? It's not documented in that much detail ... when joining the FMC to the FTD do I enter the public IP that will be natted? How does the FTD know where to send the traffic? How do I configure NAT on the remote site FTD when it is not yet joined to the FMC?

 

Thanks in advance

1 Accepted Solution

Accepted Solutions

Is it an internet circuit you will be using or a P2P link?

Assuming its an internet circuit, the cleanest way of the configuring it would be a router, with a small switch to connect the inside router interface, FW outside and FW mgmt, this is what I've used in the past. There are other clunky and probably unsupported ways of pre-configuring the FTD.

If it's a P2P link (as per your diagram) you'd just need a switch as both end's would be on the same network.

View solution in original post

9 Replies 9

Yes I would be glad to give you all the information that I have ran into with this issue.  Bottom line is that FTD at a remote site will not function like the ASA/FirePower at a remote site without preconfiguring locally.  Personally due to the fact that if something happens to the unit you may not be able to support that remote location remotely.  Cisco suggested that we buy yet another piece of equipment(router) for the remote site so this would function.  Absolutely crazy.

 

That said, they are working on a solution that works similar to the ASA/FirePower but I cannot say when if this will happen.  I know sales will tell you that this certainly works and field engineers will support them but there is enough documentation that we gave to TAC showing that it will not function the same.  I do like FTD for the most part(we are running a 2110 locally) but I elected to reimage my ASA's with ASA/FirePower for my remote locationsl.  If you need to links I could do some looking to show you others that too discovered what we did.  

 

Best of luck and just reimage for now IMO.

Hi,
You will need to create a static NAT of the firewall in front of the FMC, to nat tcp/8305 to the private IP address of the FMC.

On the FTD when configuring the manager, use a natid. E.g "configure manager add <public nat ip of fmc> <registration key> <natid>".

When registering the device on the FMC, the IP address you'd enter is the private (real) ip address of the FTD, in the "Unique NAT ID:" box enter the natid configured on the FTD.

HTH

Thanks for the replies

 

Please see attached a quick diagram of my lab topology

 

Topo.JPG

 

FTD1 is joined to the FMC successfully. I have configured a NAT rule and firewall rule on FTD1 to allow incoming connections to the FMC on FTD1's WAN IP (1.1.1.1) on port 8305 and 443 (for testing). I can access the FMC's web interface at https://1.1.1.1 via the PC behind FTD2 so I know this is working properly.

 

I then tried to join FTD2 to the FMC. I configured it with local management and set the interface IPs and enabled the default inside to outside NAT rule.

 

I executed the following command from the CLI of FTD2:

 

configure manager add 1.1.1.1 Key123 NATFW2

 

Then see the attached screenshot of my configuration to add FTD2 to the FMC.

FMC Join Behind NAT.JPG

Unfortunately the join fails with the following error "Could not establish a connection to the device"

 

Is this setup supported? If we can't have the remote FTD device behind NAT i'm not sure we can implement firepower, which would be a massive problem because ASA is extremely challenging to manage with many sites (in my opinion)

You won't be able to route to 1.1.1.1 if the mgmt interface is on 10.2.0.0 network and plugged into the inside network. Put the Mgmt and Outside interfaces in 1.1.1.x network, they can then reach the address 1.1.1.1

Ah ok, I can do that in a lab, but in production i'd need to put a router in front of the FTD? That's disappointing as I was hoping to implement with as little hardware as possible for simplicity and cost savings.

Is it an internet circuit you will be using or a P2P link?

Assuming its an internet circuit, the cleanest way of the configuring it would be a router, with a small switch to connect the inside router interface, FW outside and FW mgmt, this is what I've used in the past. There are other clunky and probably unsupported ways of pre-configuring the FTD.

If it's a P2P link (as per your diagram) you'd just need a switch as both end's would be on the same network.

Thanks for your help, I guess there's 3 options as I see it, with an internet circuit (as it would be in production, lab was using p2p for simplicity's sake):

1 - Install router in front of FTD and use this to NAT the traffic (e.g. Cisco 892 or 861)
2 - Assuming there are multiple public IPs available, connect a switch and give management interface a public IP - security risk?
3 - Some kind of preconfiguration workaround (either temporarily assigning public IP to management interface on site, or add to FTD when in central site with FMC and apply basic configuration with management interface NAT-ed behind outisde interface)

I'll test some more and think about what to do :)

Hi,

 

Followed the below steps, and I have successfully registered the FTD with FMC behind the nat using NATID over the internet:

 

"You will need to create a static NAT of the firewall in front of the FMC, to nat tcp/8305 to the private IP address of the FMC.

On the FTD when configuring the manager, use a natid. E.g "configure manager add <public nat ip of fmc> <registration key> <natid>".

When registering the device on the FMC, the IP address you'd enter is the private (real) ip address of the FTD, in the "Unique NAT ID:" box enter the natid configured on the FTD"

 

some additional points to be considered for FTD mgmt network configuration as per below: 

 

"You won't be able to route to 1.1.1.1 if the mgmt interface is on 10.2.0.0 network and plugged into the inside network. Put the Mgmt and Outside interfaces in 1.1.1.x network, they can then reach the address 1.1.1.1"

 

Thanks & Regards.

 

Hi, 

Thanks for sharing your doubt. But there's something I didn't get the point. 

I´m planning to install a FTD with the same topology configuration. Nonetheless, in your example, you said you configured the management and the outside with the same network address (Ex: 1.1.1.x/24). But wouldn't it cause an IP overlap due to the fact that we have the same IP network set in different interfaces? 

The questions are:

1) Which IP have you configured on your outside network and in your management network? In fact, is it necessary to configure an IP in the management network? Can't you controll the FTD via FMC with the outside net?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: