Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5174
Views
1
Helpful
5
Replies

Add FTD to FMC remotely

Go to solution
sanchezeldorado
Level 1
Level 1

‎09-21-2021 04:26 PM

Hello. I know I must be missing some small detail, but I've been unable to connect a firepower 1010 device on 6.6.1 to my FMC remotely. I've read so many different instructions from so many different versions/people, but the vast majority are suggesting that my firewall is behind a separate NAT device. My FMC is at my headquarters with an FTD at the edge. The FTD that I'm configuring has a static public IP address. My understanding is that the new version of FTD is supposed to automatically NAT through the outside interface with a nat-id to my HQ firewall. My HQ firewall has a NAT rule in place to forward the traffic to my FMC. When I tried configuring the remote FTD with a basic local config, I then added the FMC as a manager and it wiped out the interfaces. I'm sure that I'm not supposed to connect my management port directly to the internet, so does anyone have a good set of instructions on how this is supposed to be configured?

 

Thanks!

Andy

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
rhuysmans
Level 1
Level 1

‎09-21-2021 11:31 PM

Hi Andy,

there's probably a number of ways to get this configured but I would consider changing the management interface to the outside interface, eg ethernet1/1, using the CLI command :-

configure network management-data-interface client ip_address netmask

This will limit the connection to your FMC.

I'm not sure if your remote FTD has already registered with your FMC or if that's the part that's not working?

 

This document may be useful :-

https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-nw.html#ID-2242-000000c9

 

 

 

 

 

 

 

View solution in original post

Go to solution
sanchezeldorado
Level 1
Level 1
In response to sanchezeldorado

‎09-22-2021 10:37 AM

Nevermind. Thank you for the input. The link was what I needed, but that command isn't available until version 6.7 and I'm on 6.6. I'll upgrade.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
rhuysmans
Level 1
Level 1

‎09-21-2021 06:13 PM

Hi sanchezeldorado

it's be helpful to see a diagram to position the FMC and FTD devices in relation to each other. Is the FTD the main firewall for the remote site?

 

0 Helpful

Go to solution
sanchezeldorado
Level 1
Level 1
In response to rhuysmans

‎09-21-2021 09:23 PM

FTD.JPG

0 Helpful

Go to solution
rhuysmans
Level 1
Level 1

‎09-21-2021 11:31 PM

Hi Andy,

there's probably a number of ways to get this configured but I would consider changing the management interface to the outside interface, eg ethernet1/1, using the CLI command :-

configure network management-data-interface client ip_address netmask

This will limit the connection to your FMC.

I'm not sure if your remote FTD has already registered with your FMC or if that's the part that's not working?

 

This document may be useful :-

https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-nw.html#ID-2242-000000c9

 

 

 

 

 

 

 

Go to solution
sanchezeldorado
Level 1
Level 1
In response to rhuysmans

‎09-22-2021 10:01 AM

Thank you for the document, it clarifies some things, and the command you mention sounds like what I need, but it isn't available. I have a firepower 1010 that I'm trying to setup from scratch, but for now, I'm using FTD and FMC in a CML lab environment to test. I have 4 other FTD firewalls configured successfully, but they are all reachable using the dedicated management port. That said, here's what I've done.

 

1. I boot up my vFTD and configure my management IP address with a private IP. The document you sent suggests that I set "data-interfaces" as the gateway, but it doesn't accept anything but an IP address. AFTER the IP address, it lets me specify the interface and it will take "data-interfaces" as a destination. 

 

configure network ipv4 manual <private ip> 255.255.255.0 <private ip gateway> data-interfaces
Setting IPv4 network configuration.
Network settings changed.

 

2. I ran configure manager add <HQ firewall external IP> <regkey> <natid>

 

configure manager add <HQ external IP> <reg key> <nat-id>
Manager successfully configured.
Please make note of reg_key as this will be required while adding Device in FMC.

 

3. "configure network managment-data-interface" is not an option. 

 

> configure network
 dns                                  Configure DNS servers
 hostname                         Set the hostname
 http-proxy                        Configure HTTP Proxy settings
 http-proxy-disable            Disable HTTP Proxy settings
 ipv4 Configure                  IPv4 networking
 ipv6 Configure                  IPv6 networking
 management-interface     Change to Management Port Configuration Mode
 management-port            Change TCP port for management
 mtu                                  Configure Management and Eventing Interface MTU
 static-routes                    Change to Static Route Configuration Mode

0 Helpful

Go to solution
sanchezeldorado
Level 1
Level 1
In response to sanchezeldorado

‎09-22-2021 10:37 AM

Nevermind. Thank you for the input. The link was what I needed, but that command isn't available until version 6.7 and I'm on 6.6. I'll upgrade.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card