Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1286
Views
10
Helpful
5
Replies

Converting ASA sites to FTD

Lee Dress
Level 1
Level 1

‎01-05-2022 06:15 AM

I currently have 4 ASA 55xx w/ firepower devices in my network topology.

the devices are registered in FMC post VPN connection.

my FMC is on my internal network on site 1. (192.168.1.3)

each one of my ASAs do a site 2 site tunnel to the main office via ASDM (not FMC), then the remote devices use a local site LAN address to attach to FMC for policies, etc.

 

I'm moving to FTD 2130 in all locations, but my question is this.

it appears the preferred way to do all of the new configurations is via FMC

how do I register the 2130s to the FMC before they have established a VPN connection to the FMC site?

0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎01-05-2022 07:57 AM

Hi, You have to configure your FTDs over an established connection (either
VPN or internet). So put your fmc with public IP and allow inbound access
on tcp8305 port for registration to work. Then you can configure the
policies.

**** please remember to rate useful posts
0 Helpful

Lee Dress
Level 1
Level 1

‎01-05-2022 08:41 AM

My FMC is virtual.  I don't have the ability of putting it on a Public network.  If I NAT tcp/8305 to it maybe that will work? 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Lee Dress

‎01-05-2022 09:42 AM

Yes, that can do the job. I had something similar and it worked. Just make
sure to select nat checkbox when you register ftd to fmc.

**** please remember to rate useful posts

Marius Gunnerud
VIP
VIP

‎01-05-2022 01:15 PM

You would either need to stage the FTDs before they are sent to the remote location or you need to configure the FTD to be manageable via a public IP.  So you would need to either configure the FTD management interface with an extra public IP, or if you are running 6.7 or higher configure the external / outside data interface to also be a management interface.  Then, as Mohammed has mentioned, NAT the FMC IP to a public IP on port tcp/8305 and make sure there are access rules that allow the remote FTD to access the FMC on port tcp/8305.

 

--
Please remember to select a correct answer and rate helpful posts

Lee Dress
Level 1
Level 1

‎01-05-2022 01:27 PM

I will try the NAT thing. my main Site FTD will not need it because it's on the same segment as the FMC.

I will NAT/Access Rule the Public IP to route port 8035 to the FMC.

I have one of the remote devices here so I can try it through a separate Public IP to test POC before I move them to their remote locations.

 

thanks for the tips guys.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card