Cisco FPR-1010 and Remote management via FMC

neteng2323 · ‎07-08-2025

I have a handful of FP 1010s that came with FTD installed. These will be used for a basic S2S VPN connection back to a FP3130. I'd like to manage these via FMC but I'm struggling with the documentation to understand a clear path to getting this accomplished.

The management traffic would need to traverse the public internet so would it be best to include the FMC IP within the VPN configuration? I read that it can also be accomplished by doing some NAT forwarding but this seems overly complicated. At the same time it seems like a chicken before the egg scenario where i need to configure the firewalls to talk to the FMC first before deploying them in the field and then having them talk over a VPN tunnel.

The 1010s will be going into locations that have a static IP that will be used for the outside interface.

Rob Ingram · ‎07-08-2025

@neteng2323 I've not come across anyone doing that for a while, it's asking for trouble IMO. I would recommand using a data interface to establish the connectivity over the internet (outside of the VPN tunnel), the connectivity would be encrypted and no reliance on the VPN tunnel.

neteng2323 · ‎07-08-2025

Thanks for the quick reply. I guess my question would be my FMC does not have public facing IP. So I'll have to create a specific NAT rule for this it sounds like? If it makes any difference these "remote" locations are actually on campus or close by. A few within walking distance and another one that isn't far down the road.

Rob Ingram · ‎07-08-2025

@neteng2323 yes, you'd need a static NAT/PAT for the FMC tcp/8305 and an Access Control rule, which restricts communication from known IP addresses to/from the FMC.

Attempting to route the management traffic over a VPN where the VPN is managed by the FMC that routes over the VPN tunnel is asking for trouble if there are any problems. Typically most firewalls would be managed over the internet over the data interface, communication would be tranmitted securely, so no concerns there.

neteng2323 · ‎07-08-2025

Ok so the communication between the FMC and firewalls is essentially encrypted then?

Rob Ingram · ‎07-08-2025

@neteng2323 Yes, when the registration is complete, the FTD and the FMC establish a secure (encrypted) tunnel called sftunnel, all communication between the FMC/FTD is subsequently transmitted securely over this connection.

MHM Cisco World · ‎07-08-2025

You can use outside to connect to FMC

This traffic pass over VPN

You need to use acl in VPN that includes host outside <-> host server

You need to enable management-access in outside interface

MHM

neteng2323 · ‎07-10-2025

Thank you for these details. So if I'm understanding you I'll need the FP1010 outside interface IP included on the FMC side firewall, and the FMC IP included on the FP1010 side?

Rob Ingram · ‎07-10-2025

@neteng2323 yes, on the FTD in front of the FMC you'd permit traffic to/from the outside IP address of the remote FTD to the FMC (real IP). On the remote FTD you configure the NAT (public) IP address of the FMC and then register the remote FTD from the FTD to establish the communication.

You can use the command sudo tail -f /ngfw/var/logs/messages for troubleshooting the registration, if required.