Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3542
Views
2
Helpful
5
Replies

Change FTD management interface to Outside Data interface

keithcclark71
Level 3
Level 3

‎09-03-2022 07:06 AM

The changing of management interface to outside data interface confuses me is since I am staging\registering the FTD localy on the same subnet with the FMC then once I change the management to data outside interface I really would not be able to test it until I actually deployed to the production site as the FMC would be trying to reach the outside interface of the FTD through its configured gateway which in my case would be a production ASA that sits in front of the FMC. Testing before production deployment would not be possible as my only option is to plug the FTD outside interface into switch that the FMC is also plugged into(There is no public IP on the FMC itself).

I am going to attempt to configure fully the FTD over the management interface then change to data interface and deploy to site It alos appears in 7.2 you can set management through the FMC GUI within the ethernet1/1 interface settings (Is this the same thing as doing the configure network management-interface-data command in CLI?) If so is it better to do the change from the CLI or the FMC GUI or does it even matter. My platform settings are enabled to allow any IPV4 to Outside for SSH only temporary until I get this workingthen I will restrict initiator. Anything else anyone can think of before I do all this? I am at point where my config is fully pushed to the FTD and am ready to change to the data interface I am just concerned that once i put in production I wont be able to manage it and then have to bring back and try to figure out again. To be clear I'm not registering the FTD as that is already done over the management interface but I will be changing to data interface for management and deploying to production in the hopes that the FMC will then see it somehow

1 person had this problem
0 Helpful
5 Replies 5

Alan Inman
Level 1
Level 1

‎09-06-2022 05:24 AM

Keith, I was in the same boat a couple of months back. Fortunately, my remote office was only about 25 minutes each direction because I ended up trying to deploy the FTD FOUR TIMES, meaning 3 round trips before I got it on the fourth.  

  1. Rather you use the CLI or GUI won't matter. I did CLI, but GUI is more straightforward
  2. Agree about platform settings allowing any IP4 and then restricting afterward. One less thing you'll have to troubleshoot
  3. Ensure you have your routing and NAT solidly figured out. Diagram if need be. If you run into issues, it will most likely here
  4. 2100 series remote deployment guide https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp2100/firepower-2100-gsg/ftd-fmc-remote.html 
  5. 1000 series remote deployment guide https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1010/firepower-1010-gsg/ftd-fmc-remote.html
  6. Another post regarding remote deployment/registration to FMC https://community.cisco.com/t5/network-security/add-ftd-to-fmc-remotely/td-p/4471043
  7.  

 

keithcclark71
Level 3
Level 3
In response to Alan Inman

‎09-06-2022 06:23 AM

Thanks Alan. I think I have my NAT worked out properly .The reason I am trying to move to data interface for management is I have a mesh VPN topology for all sites ( 4 FTD 1010's) . Interesting traffic should flow through the VPN and then when I need to push policy changes from the FMC it should just go outbound from FMC over tcp\8305 to the Public IP of the FTD which I would assume opens TCP\8305 automatically when configuring the data interface for management. I don't think I would need to do any static routes here as it should just go through the routing tables on the public router path. I can get this working using an IP of the remote VPN subnet assigned to the management interface but the problem is if that VPN goes down or I need to make changes to it and it doesn't come back online then i'm SOL. I'm thinking once I change to data management interface I should see tcp \8305 in a listening state bound to the outside interface prior to physically deploying so I can be confident it is open???

0 Helpful

keithcclark71
Level 3
Level 3
In response to Alan Inman

‎09-06-2022 06:50 AM

Alan did you need to do anything with the management interface once you moved management to outside data interface???

0 Helpful

Alan Inman
Level 1
Level 1
In response to keithcclark71

‎09-06-2022 11:32 AM

Management interface and Outside interface (Ethernet 1/1) both got the Outside IP address of the branch office. 

000769.png000768.png

keithcclark71
Level 3
Level 3
In response to Alan Inman

‎09-06-2022 02:26 PM

Did you have to make any changes to the Firewall in front of the FMC? Did you configure the data interface as the last step, made sure your nat and acl , platform policies were applied prior to changing to data int for mgmt then deploy to remote site? I ask this because once you deploy the changes that change management to data interface you would lose connection with the FTD as the data interface would have a public IP and the FMC wouldn't be able to manage it if you are staging the deployment prior to taking to remote site

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card