Re: Could not able to add firepower 1010 series after site to site vpn

Sefa On · ‎07-25-2023

Dears

I need to very urgent your help.

I have 5 firepower 1010 series firewall and 1 FMC on vmware. I added a firepower 1010 in the head office to the fmc and made a site to site vpn to the firepowers in other offices over this firepower. I connected the switch to the management port by giving it an IP address in the local (as like 192.168.1.1 firepower adress 192.168.1.2 is management port ip address). All of the site to site vpns are active and they can able to acces ve each others but I cannot add the firepowers in the offices to the fmc, when I try to add it, I get a timeout error and the progress is cancelled.

what do you think is the reason?

MHM Cisco World · ‎07-25-2023

s2s vpn' allow inside not mgmt interface pass through vpn.

You need to config inside with managment-access to make fpr connect to fmc through vpn

Sefa On · ‎07-25-2023

Thanks a lot for your quick response how can i config to management access from inside

MHM Cisco World · ‎07-25-2023

interface inside there is option management-access select it.

Sefa On · ‎07-26-2023

losing the connection when i select under vlan1 interface management only option

Sefa On · ‎07-26-2023

Dears

Do you have any thoughts on alternative Solution to fix it ?

regards

sefa

MHM Cisco World · ‎07-26-2023

FMC-FPR1-VPN-FPR2

you want to add FPR2 tp FMC ?

Sefa On · ‎07-26-2023

Yes I want to add FPR2 to FMC and manage over Fmc

MHM Cisco World · ‎07-27-2023

Fpr2-vpn-fpr1-fmc

Fpr2 use

Mgmt interface - inside interface use as gw -outside use as vpn end

Now what you need management-access not management-only config for inside interface' if fmc not have this option then you need flexconfig

Add mgmt subnet to acl policy of vpn.

MHM Cisco World · ‎07-27-2023

Other option is use outside (same as outside interface you use for vpn) as mgmt interface to connect to FMC'

Outside to be use as mgmt interface you need also again management-access which as I mention above if not available in fmc use flexconfig.

Sefa On · ‎07-27-2023

still not joy not able to register. can you please let me know how can i add management-access to fmc with flexconfig ?

tvotna · ‎07-27-2023

Did you use FDM to pre-configure VPN on remote office firepowers or how you configured them? Or do you terminate VPN on some other remote office device and not on FTD? Obviously, if I understand correctly, there is a chicken and egg problem here. You need to at least configure routing on FTD to route traffic from FTD management interface to FTD inside and then to outside via VPN and you need working VPN on it before registering with FMC...

In general, there is special procedure for remote office deployments, which is documented here: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1100/firepower-1100-gsg/ftd-fmc-remote.html, but int this case FTD outside interface is used to connect to FMC and not VPN.

Sefa On · ‎07-27-2023

hi mate thanks for answer. just configred the vpn site and hub is spoke with each other and I can ping two way from fmc to ftd management port but I got the error when i try to add to fmc via vpn.