cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1361
Views
4
Helpful
10
Replies

2 Firewall ( FTD ) with Same IP possible to manage from same FMC ?

MSJ1
Level 1
Level 1

2 Firewall ( FTD ) with Same IP possible to manage from same FMC ?

I have a situation, where i am placing a second FTD in my DR with same IP and Config as similar to On Premise FTD. But would like to add the DR FTD in same FMC where On Premise FTD is. Since I am concerned if having same IP in 2 Different FTD , even I keep the 2nd FTD Shutdown , will it create issue ? FMC will accept it  ? 

If above way is not possible , can I create second duplicate Box ( ip and s2s VPN config same ) from a 2nd Domain using same FMC ?

 

 

 

 

 

 

10 Replies 10

Eric R. Jones
Level 4
Level 4

Sounds a bit confusing so I have some questions. Is the new FTD co-located with the existing FTD and providing services to the same inside network? If so I would just place them in HA, provide a separate physical IP address to the new one in the subnet and the virtual IP address (VIP) will pass back in forth. I am assuming DR, in this case, is Disater Recovery. Using the above method will allow you to manage both devices from the single FMC plus it makes upgrading and patching easier as it will start with the inactive device, switch automatcially to that one when it's done and then do the former primary one and you won't lose connectivity. Hopefully I understand your issue properly.

 

 

Milos_Jovanovic
VIP Alumni
VIP Alumni

Hi @MSJ1,

I assume you are talking about placing a second FW (or pair of FWs) in DR, which is usually different location. However, there are usually subnets allocated to second datacenter, which coexist with primary one, meaning they are available at all time. If that is the case, then you need to address management interface(s) of your other FW from this subnet, and data interfaces can be addressed with same IPs as the primary GW and kept in shutdown state. FTD must be able to talk to FMC, and so should your access to it on management port work, in order to trigger the action of unshutting ports, when needed.

Kind regards,

Milos

Two FTD same IP' I dont think it work.

I believe that @MSJ1 is talking about same IPs under data plane (inside, outside, etc.) and those should be possible. I just suggested to use uniquie IPs for management interface of FTD, so they are both alive at same time. Same management IPs - that is not possible, I agree.

Kind regards,

Milos

Hi @Milos_Jovanovic 

In my case as i said, planning for 2nd FTD with same IP ( inside, outside , dmz interfaces ) configured as similar to 1st FTD. 

1st FTD is at On Prem

2nd FTD is at DR

But want to manage both FTD from same FMC. I am still not sure if this is possible.

For example 1st FTD is a VPN Head End Device so if 2nd FTD configured with same IP ( i.e outside interface for VPN)  with a Different Name , how should I control which device to push the appropriate config  ?

I don't think managing two FTDs with the same management IP addresses from the same FMC is possible, but you don't have to do that anyway. Usually the DR firewall will have its own set of IP addresses including the management interface IP. Having the same IP addresses for the inside, DMZ or any internal facing interfaces is possible, however, I don't think you can have the same external public IP in both sites.

What we do usually for the VPN traffic in these scenarios is configuring two peer IP addresses for the site to site VPNs, so the secondary peer kicks in when the primary is not available, however, there is a caveat with this one is that there is no preemption supported to revert the tunnel back to the primary IP when it's back online.

For AnyConnect on the other side you can rely on some of the DNS load balancing providers. Those providers provide tools where you can say resolve AnyConnect FQDN to this IP as long as it's available, this IP will be the IP of the on-prem firewall external interface. When that IP is down the DNS provider will switch the DNS requests to the DR public IP. Usually there is a preemption mechanism with this which means once the on-prem firewall is back online the DNS resolution will resolve back to the on-prem IP.

Finally, if you should assign the same inside, DMZ, other interface facing segments with the same IP addressing in both sites, you would need to set some NAT rules to allow the traffic between the two sites as you will have subnets overlapping in this case.

@Aref Alsouqi @Milos_Jovanovic 

Thank You for your valuable info. These are all good design guideline for sure. However current client with the aci multisite made same subnet available on the other side meaning at DR.

So coming back to the point , if I install a 2nd FTD and try to restore with the config from 1st FTD , is there a way I can change the mgmt IP during the process of restore  ? 

 

Plan is to keep the 2nd Copy Box Data Interfaces Disconnected , Only keep the Mgmt Interface UP for 2nd Copy Device - FTD 

If the DR site has exactly the same internal subnets including the management subnet, then what you can do is just assigning a different IP for the management interface of the DR firewall and then leaving all the other configs the same. However, my question here would be if you replicate the same setup on both firewalls say inside, dmz, etc, how the DR firewall will be able to reach the FMC? I guess you would need to apply some NAT'ing between the two sites to do that right? and in that case both sides won't have the same NAT rules if that makes sense.

Do you mean to manage the two FTDs using the same management IP or that the data interfaces have the same IPs but management IP is different?

If Management IPs are different, you should be able to achieve this by implementing domains. 

--
Please remember to select a correct answer and rate helpful posts
Review Cisco Networking for a $25 gift card