Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
1
Helpful
5
Replies

Adding FTD to FMC locally, before deploying remotely

robo764
Level 1
Level 1

‎09-10-2024 05:52 AM

I'm preparing to deploy a Firepower 1120 to a remote location and I'm hoping to have it as close to "plug and go" as possible.  I've read (and am still reading) available documentation for adding a new FTD to our FMC, and I'm aware of at least these two (significant to my circumstances) capabilities:

  1. I can, after deployment and management by FMC, move the "management access" to a data interface without having to rejoin and reconfigure the FTD.
  2. I can, after deployment and management by FMC, change the management IP address of the FTD without having to rejoin and reconfigure the FTD.

What I'm hoping is possible, but haven't yet confirmed through my reading, is to have the new FTD on the local/internal network and add it to the FMC.  Once it's joined and configured, move the FTD to its remote/external location and, once there, move the management access to the outside/date interface, and change the management IP address in FMC to reflect the new (external) home of the FTD. It seems like the two steps, themselves, aren't any concern, I'm just not sure if there's any issue in combining them in this situation. The only reason I even question it is due to the fact that the "Threat Defense Deployment with a Remote Management Center" portion of the Getting Started Guide only talks about performing the initial configuration before deploying, and then adding the FTD to FMC from the remote location.  

Does anyone know if it's possible to add the FTD to the FMC, locally, complete its configuration, and then deploy it externally?

0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎09-10-2024 06:16 AM

It is possible and can be a little tricky.  You would need to set up a staging network on your local LAN for this.  If you know the public IP subnet of the remote site, then you could get it 100% set up before shipping.

I would do the following:

  1. configure an L3 switch with both the public IP / subnet of remote site and the FMC Private IP / subnet
  2. Connect to the console of the FTD and perform the initial setup
  3. Configure FTD Data interface for management by FMC
  4. Onboard the FTD to the FMC using the FTD public IP
  5. Configure FTD required configuration via FMC
  6. Delete staging configuration from switches
  7. Ship to remote location

a few Gotcha's:

  • Configure platform settings policy SSH to allow SSH connection to the outside interface from your main office public IP.  Can be useful when VPN is down and you need to troubleshoot and dont want to go onsite.
  • For the FTD to reach Main site subnets to, for example, send SNMP, syslog, other monitoring or management devices, you need to add static routes via the CLI:  configure network static-route ipv4 add management0 <remote IP / subnet> <subnetmask> <gateway IP>
  • Be sure you have someone that can connect a console cable to the FTD with a PC with remote access to it via, for example, a mobile device hotspot incase something is not working as expected.
--
Please remember to select a correct answer and rate helpful posts

MHM Cisco World
VIP
VIP

‎09-10-2024 07:22 AM

I think you need to register ftd in fmc using NAT ID 

In this case even if IP change the FMC still connect to FTD using NAT-ID/password

MHM

0 Helpful

Marius Gunnerud
VIP
VIP
In response to MHM Cisco World

‎09-10-2024 02:11 PM

NAT ID is used when one of the sides does not define an IP...i.e. a dynamic IP.  If you are using static IPs you should not need to use the NAT ID.

NAT ID An alphanumeric string used during the registration process between the FMC and the device when one side does not specify an IP address. Specify the same NAT ID on the FMC.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

MHM Cisco World
VIP
VIP
In response to Marius Gunnerud

‎09-10-2024 09:28 PM

He will use data interface to connect fmc to ftd and use specific IP in local then when he move ftd the IP will change so the IP change and he can use NAT ID 

Thanks

MHM

0 Helpful

Marius Gunnerud
VIP
VIP
In response to MHM Cisco World

‎09-10-2024 11:35 PM

@MHM Cisco World you do not need to change the IP.  When staging you create the same public IP subnets in your staging environment, of course deleting it when finished.  Then when you move the FTD to it's intended location all will be the same.  You just need to be sure that a static NAT is is place translating the FMC IP to a public IP on port tcp/8305 and that access rules are in place for the remote FTD public IP to access the FMC internal IP.

Even if you change the IP on one of the sides, let's say on the FTD side, then the FTD will still have a valid IP and registration key to the FMC and it will therefore try to connect with the FMC.  The FMC will see that there is a valid registration key and accept the connection.  Yes, it would be best to update IPs at both ends to ease management, but not necessary as long as one side has correct IP.

As I said in my original post, it is possible to do this, but can be tricky.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card