cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1037
Views
1
Helpful
12
Replies

Could not able to add firepower 1010 series after site to site vpn

Sefa On
Level 1
Level 1

Dears

 

I need to very urgent your help. 

I have 5 firepower 1010 series firewall and 1 FMC on vmware. I added a firepower 1010 in the head office to the fmc and made a site to site vpn to the firepowers in other offices over this firepower. I connected the switch to the management port by giving it an IP address in the local (as like 192.168.1.1 firepower adress 192.168.1.2 is management port ip address). All of the site to site vpns are active and they can able to acces ve each others but I cannot add the firepowers in the offices to the fmc, when I try to add it, I get a timeout error and the progress is cancelled.

 

what do you think is the reason?

12 Replies 12

s2s vpn' allow inside not mgmt interface pass through vpn.

You need to config inside with managment-access to make fpr connect to fmc through vpn

Thanks a lot for your quick response how can i config to management access from inside 

interface inside there is option management-access select it.

losing the connection when i select under vlan1 interface management only option

Dears

Do you have any thoughts on alternative Solution to fix it ?

regards

sefa 

 

 

 

FMC-FPR1-VPN-FPR2

you want to add FPR2 tp FMC ?

Yes I want to add FPR2 to FMC and manage over Fmc 

Fpr2-vpn-fpr1-fmc 

Fpr2 use 

Mgmt interface - inside interface use as gw -outside use as vpn end 

Now what you need management-access not management-only config for inside interface' if fmc not have this option then you need flexconfig 

Add mgmt subnet to acl policy of vpn.

 

Other option is use outside (same as outside interface you use for vpn) as mgmt interface to connect to FMC'

Outside to be use as mgmt interface you need also again management-access which as I mention above if not available in fmc use flexconfig.

still not joy not able to register. can you please let me know how can i add management-access to fmc with flexconfig ? 

tvotna
Spotlight
Spotlight

Did you use FDM to pre-configure VPN on remote office firepowers or how you configured them? Or do you terminate VPN on some other remote office device and not on FTD? Obviously, if I understand correctly, there is a chicken and egg problem here. You need to at least configure routing on FTD to route traffic from FTD management interface to FTD inside and then to outside via VPN and you need working VPN on it before registering with FMC...

In general, there is special procedure for remote office deployments, which is documented here: https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fp1100/firepower-1100-gsg/ftd-fmc-remote.html, but int this case FTD outside interface is used to connect to FMC and not VPN.

 

hi mate thanks for answer. just configred the vpn site and hub is spoke with each other and I can ping two way from fmc to ftd management port but I got the error when i try to add to fmc via vpn. 

Review Cisco Networking for a $25 gift card