06-21-2019 09:43 AM - edited 02-21-2020 09:14 AM
I have an ASA-5508-X that is running v 6.2.3 image. It is a production device located in one of my remote offices. I would like to manage it back at Headquarters with the FMC that I have running there. At HQ I have 2x 2130 FTD managed by the FMC. The remote site is configured with a site-to-site vpn for connectivity. What is the process for moving the management of the 5508 to the FMC at HQ?
Solved! Go to Solution.
06-21-2019 06:48 PM - edited 06-21-2019 07:00 PM
Unfortunately there's not an easy process to do what you want. Nor is there even a Cisco-documented one.
Any way you approach it will require an outage.
Moving management from local (FDM) to remote (FMC) will require a redeployment of all policies to the device - including the interface addressing, VPN setup etc. One important aspect of how you do this is whether you have available public IP address to use for the management interface so that it can connect back to your FMC via that address. The management connection is encrypted but many enterprises are still not comfortable with that being transported outside of a VPN.
If you don't have that as an option (and you don't have a quasi-private circuit like MPLS) then you basically need to bring the device back to your main site and stage it with the FMC. then re-deploy it remotely and change the management address when it is at the remote site. See slides 85-97 here:
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-2112.pdf.
06-21-2019 06:48 PM - edited 06-21-2019 07:00 PM
Unfortunately there's not an easy process to do what you want. Nor is there even a Cisco-documented one.
Any way you approach it will require an outage.
Moving management from local (FDM) to remote (FMC) will require a redeployment of all policies to the device - including the interface addressing, VPN setup etc. One important aspect of how you do this is whether you have available public IP address to use for the management interface so that it can connect back to your FMC via that address. The management connection is encrypted but many enterprises are still not comfortable with that being transported outside of a VPN.
If you don't have that as an option (and you don't have a quasi-private circuit like MPLS) then you basically need to bring the device back to your main site and stage it with the FMC. then re-deploy it remotely and change the management address when it is at the remote site. See slides 85-97 here:
https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-2112.pdf.
06-25-2019 09:08 AM
I feared that this would be the case. Oh well it was just something that I wanted to do but came into the project late in the game. Now the device is deployed at a remote site and I will just have to use the web interface to manage it.
Thanks for the response
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide