cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2206
Views
0
Helpful
2
Replies

ASA-5508-X with current FTD version move to management by FMC

tcmckay
Level 1
Level 1

I have an ASA-5508-X that is running v 6.2.3 image. It is a production device located in one of my remote offices. I would like to manage it back at Headquarters with the FMC that I have running there. At HQ I have 2x 2130 FTD managed by the FMC. The remote site is configured with a site-to-site vpn for connectivity. What is the process for moving the management of the 5508 to the FMC at HQ?

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Unfortunately there's not an easy process to do what you want. Nor is there even a Cisco-documented one.

Any way you approach it will require an outage.

Moving management from local (FDM) to remote (FMC) will require a redeployment of all policies to the device - including the interface addressing, VPN setup etc. One important aspect of how you do this is whether you have available public IP address to use for the management interface so that it can connect back to your FMC via that address. The management connection is encrypted but many enterprises are still not comfortable with that being transported outside of a VPN.

If you don't have that as an option (and you don't have a quasi-private circuit like MPLS) then you basically need to bring the device back to your main site and stage it with the FMC. then re-deploy it remotely and change the management address when it is at the remote site. See slides 85-97 here:

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-2112.pdf.

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

Unfortunately there's not an easy process to do what you want. Nor is there even a Cisco-documented one.

Any way you approach it will require an outage.

Moving management from local (FDM) to remote (FMC) will require a redeployment of all policies to the device - including the interface addressing, VPN setup etc. One important aspect of how you do this is whether you have available public IP address to use for the management interface so that it can connect back to your FMC via that address. The management connection is encrypted but many enterprises are still not comfortable with that being transported outside of a VPN.

If you don't have that as an option (and you don't have a quasi-private circuit like MPLS) then you basically need to bring the device back to your main site and stage it with the FMC. then re-deploy it remotely and change the management address when it is at the remote site. See slides 85-97 here:

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2019/pdf/BRKSEC-2112.pdf.

I feared that this would be the case. Oh well it was just something that I wanted to do but came into the project late in the game. Now the device is deployed at a remote site and I will just have to use the web interface to manage it.

 

Thanks for the response

Review Cisco Networking for a $25 gift card