Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1529
Views
0
Helpful
4
Replies

Deploy FTD (ASA 5506X) in a remote branch with FMC

lcb23
Level 1
Level 1

‎01-21-2021 04:05 PM

Hi,

In my office we have implemented an FTD v. 6.2.3.13 (ASA 5506X), we want to manage it in a remote branch with FMC.

DiagramDiagram

I have read the cisco documentation:
https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmc_remote_branch/deploy-the-ftd-at-a-remote-branch-with-fmc.html

 

In that documentation they use the command "configure network management-data-interface", but in my FTD I don't have that option.

 

Looking in other documentations, I found that command is used as of version 6.7. But, the firewall I have is not compatible with this version:
https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/compatibility.html

 

Is there a way to do this configuration with the firewall I have?

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-21-2021 08:37 PM

No - the feature you mention was only added in 6.7. Since an ASA 5506 with FTD cannot run a version past 6.2.3.x, you must use the management interface for management by a remote site FMC.

You can put the management interface on the internet and restrict access to it to the FMC's public IP address (assuming you have a spare address to assign to it). The FMC-FTD communications are encrypted in transit with TLS (over tcp/8305).

The other option is to have a site-to-site VPN and route the management interface via the FTD inside interface over that VPN. That's tricky to do however and usually requires staging the FTD device at the main site prior to deployment.

0 Helpful

lcb23
Level 1
Level 1

‎01-25-2021 07:52 AM

Thank you very much @Marvin Rhoads .

 

What if I only have one public IP (from my ISP)  for my FTD? How can I establish a connection with the FMC? Is there a manual?

 

 

 

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to lcb23

‎01-25-2021 09:47 AM

As Marvin stated the only option would be to stage the device beforehand and then shipping the ASA to the desired location. IMO handling remote management like this is not a good idea, remote management without an out-of-band network connection for FTD to communicate with FMC is destined to cause issues in the long run (e.g. you push an incorrect configuration to your firewall, causing a connectivity issue between your firewall and FMC and the only way to resolve it is to ship the firewall back to your central location and reconfigure it, since you lost connectivity btween FMC and FTD hence making it impossible to push changes to your firewall creating a chicken-egg problem).

 

The problem I described above has been a very daunting limitation in the past and unfortunetely your hardware platform (ASA 5506-X) will never support a release >= 6.2.3, hence there is no "good" solution for your problem. The limitation has been lifted with Firepower 6.7, but to utilize that software version you would need a Firepower 1000/2100/4100/9300 appliance.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to lcb23

‎01-25-2021 11:42 AM

An option could be to NAT the management interface to a public IP or the outside interface if you dont have extra public IPs.  So the traffic would go from the management interface to the inside interface (for example) and then NATed to a public IP.  Previously this was not considered as a good practice, and probably stil isn't, by exposing the management interface to the internet, but it will solve the issue.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card