Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1235
Views
0
Helpful
2
Replies

FMC 6.2 Best Practice Cloud Deployment

klaas.kuiken1
Level 1
Level 1

‎08-10-2017 08:33 PM - edited ‎03-10-2019 06:54 AM

Hi There,

We are planning to put 2 FMC2500 boxes (HA) in a Data Center (DC) to manage 50 FTD's (HA) over the Internet and a "backup" connection.

See Attachment for a topology diagram.

We've been googeling recommended practices but found nothing useful.

Obviously the documentation indicates how to make the ipsec connection between the 2 but or doubt is more about how to configure the ASA or FTD firewalls in the DC to protect the FMC's from the Internet (Left side of the attached figure).

We guess that the FMC's should be in a DMZ and that the ASA/FTD's are doing NAT (which could possibly break the IPsec connection).

Could you please share any link / URL on this matter.

Best Regards,

Klaas.

Labels:
Preview file
148 KB
0 Helpful
2 Replies 2

Oliver Kaiser
Level 7
Level 7

‎08-12-2017 01:09 AM

The only document which vaguely matches what you are looking for is the mgmt interface configuration guide: https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200868-Configuring-Firepower-Threat-Defense-FT.html

Just to make sure I understand your setup correctly. You want to have two central FMC appliances located in your DC and manage your FTD devices over a WAN connection and in case this connection fails you want to utilize your L3VPN that is available at every site.

First thing that comes to mind is that you will need to register the FTD devices with one address / dns entry. Since you cant (or atleast I would think it would be somewhat too complicated) use your FTD public ip address and NAT the management interface you will need to have a IPSEC connection to your DC going through the FTD device if you really want to use this inband path (going through FTD) to manage it and have another route pointing to your L3VPN. In case the ipsec connection goes down you would have to redraw the route to let your L3 switch route traffic for the management connection over your L3VPN and not to your FTD device.

I am not sure if that kind of complexity is worth it, but it should work.

As for FMC I would advice putting each FMC in a dedicated DMZ (since HA does not require L2 connectivity and it will be easier to span your HA over another site in case that ever becomes a requirement). My 2nd advice would be to always utilize DNS for device registration. Working with ip addresses is a pita and could cause some challenges in upcoming migrations.

Let me know if you have any questions

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-12-2017 01:54 AM

Note that the communications between an FMC and its managed sensors (via tcp/8305) is already encrypted. I have confirmed this first hand via a packet capture and observed the cipher negotiation and establishment of a secure tunnel. Thus an additional IPSec layer gives not extra security. 

More important is that the FMCs each be reachable via a single unique address. That could be done with NAT at the FMC end depending on your IP addressing setup and services available from your provider(s).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card