Solved: Re: Changing FTD management interface to Data interface

keithcclark71 · ‎08-30-2022

I have a couple questions I hope you guys might be able to help me clear up. I've discussed this a bit prior but now I have more thoughts and a bit confusion. I would like to separate VPN from management of my FTD's but I am also doing a meshed S2S topology so my concerns and confusion are below. Appreciate any clarity here

I have a scenario where FTD's are in MESH S2S Topology and are setup with FMC using the management interface with IP address within the remote subnet. If the VPN goes down between locations A (FMC) and B (FTD) then would FMC still be able to manage the B (FTD) through C (FTD) or D(FTD) sites through the Mesh?

It was recommended to manage using Data interface which I know what I need to do to change but if my FTD's are in a mesh and I change the management to the Outside Public interface of the FTD wouldn't the FMC still attempt to connect to the outside IP of the FTD over the established mesh VPN as the outside interface is specified as PEER rather than actually coming in to the outside interface not using the VPN???

Rob Ingram · ‎08-30-2022

@keithcclark71 no, because the crypto ACL defining interesting traffic for C and D only contain the networks for their respective local (internal) networks not B's. Therefore you cannot route through C or D to reach B.

No, the FMC would not attempt to connect over the VPN, because the crypto ACL that defines the interesting traffic would only (usually) define the internal networks behind the FTD, not the FTD's external/outside interface IP address. So communication from the FMC's natted IP address to the outside IP address of the FTD would not match the interesting traffic (crypto ACL) and would not attempt to be encrypted.

View solution in original post

Rob Ingram · ‎08-30-2022

@keithcclark71 no, because the crypto ACL defining interesting traffic for C and D only contain the networks for their respective local (internal) networks not B's. Therefore you cannot route through C or D to reach B.

No, the FMC would not attempt to connect over the VPN, because the crypto ACL that defines the interesting traffic would only (usually) define the internal networks behind the FTD, not the FTD's external/outside interface IP address. So communication from the FMC's natted IP address to the outside IP address of the FTD would not match the interesting traffic (crypto ACL) and would not attempt to be encrypted.

keithcclark71 · ‎08-30-2022

Thanks again Rob appreciate it. I'm going to try and do this Wednesday night as I have maint window Thursday morning I can work within in case trying to change mgmt to data and FTD re-registration goes south. I'll try to update how it went.

I plan on using SSH to FTD mgmt interface then CLI CMD "configure network data interface" command and then configure manager add DONTRESOLVE reg_key NAT ID .
I'm not sure if my SSH session will restore to the external interface but I am going to try as I do have that maint window scheduled.

Rob Ingram · ‎08-30-2022

@keithcclark71 tbh I've not migrated from the mgmt to data interface on a live system, but I'd plan for the worst scenario.

I recall that SSH is not permitted as default to the data interface as default (reference), ensure this is in place (platform settings policy) before you make the changes.

keithcclark71 · ‎08-30-2022

I can't apply platform policy because the FTD isn't registered to the FMC right now. It's config is intact but I can't push policies etc to it. I can ssh into the ftd currently over the VPN. TAC instructed to try changing management to data interface which I can do but once I do this I am not sure how I'll be able to reconnect to the data interface using ssh to them register the FTD to the FMC with the configure manager add command so that the FTD then gets it's platform settings, ACP etc it's a conundrums

keithcclark71 · ‎08-30-2022

So after thinking about this I am wondering now if the FTD has to be initially registered with the FMC over the management interface firstly before one can use the data interface for management? Like if I had a FTD say localy managed in a different state for example how would one be able to register it with an FMC behind a NAT firewall in another state that sits in front of the FMC??? Is that even possible?