01-21-2021 04:05 PM
Hi,
In my office we have implemented an FTD v. 6.2.3.13 (ASA 5506X), we want to manage it in a remote branch with FMC.
I have read the cisco documentation:
https://www.cisco.com/c/en/us/td/docs/security/firepower/quick_start/fmc_remote_branch/deploy-the-ftd-at-a-remote-branch-with-fmc.html
In that documentation they use the command "configure network management-data-interface", but in my FTD I don't have that option.
Looking in other documentations, I found that command is used as of version 6.7. But, the firewall I have is not compatible with this version:
https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/compatibility.html
Is there a way to do this configuration with the firewall I have?
01-21-2021 08:37 PM
No - the feature you mention was only added in 6.7. Since an ASA 5506 with FTD cannot run a version past 6.2.3.x, you must use the management interface for management by a remote site FMC.
You can put the management interface on the internet and restrict access to it to the FMC's public IP address (assuming you have a spare address to assign to it). The FMC-FTD communications are encrypted in transit with TLS (over tcp/8305).
The other option is to have a site-to-site VPN and route the management interface via the FTD inside interface over that VPN. That's tricky to do however and usually requires staging the FTD device at the main site prior to deployment.
01-25-2021 07:52 AM
Thank you very much @Marvin Rhoads .
What if I only have one public IP (from my ISP) for my FTD? How can I establish a connection with the FMC? Is there a manual?
01-25-2021 09:47 AM
As Marvin stated the only option would be to stage the device beforehand and then shipping the ASA to the desired location. IMO handling remote management like this is not a good idea, remote management without an out-of-band network connection for FTD to communicate with FMC is destined to cause issues in the long run (e.g. you push an incorrect configuration to your firewall, causing a connectivity issue between your firewall and FMC and the only way to resolve it is to ship the firewall back to your central location and reconfigure it, since you lost connectivity btween FMC and FTD hence making it impossible to push changes to your firewall creating a chicken-egg problem).
The problem I described above has been a very daunting limitation in the past and unfortunetely your hardware platform (ASA 5506-X) will never support a release >= 6.2.3, hence there is no "good" solution for your problem. The limitation has been lifted with Firepower 6.7, but to utilize that software version you would need a Firepower 1000/2100/4100/9300 appliance.
01-25-2021 11:42 AM
An option could be to NAT the management interface to a public IP or the outside interface if you dont have extra public IPs. So the traffic would go from the management interface to the inside interface (for example) and then NATed to a public IP. Previously this was not considered as a good practice, and probably stil isn't, by exposing the management interface to the internet, but it will solve the issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide