Re: FMC gui reachability

dianawinsky · ‎01-07-2026

Has anyone experienced configuring the FMC gui to be reachable and can be accessed from other locations and can register the FTD 2? the type of connection is via MPLS.

Cristian Matei · ‎01-07-2026

Hi,

I'm assuming you're speaking about the management connectivity between the FMC on the left side and the FTD on the far right side. You have two options to manage that FTD via FMC:

1. You use the FTD data interface connected to the WAN / MPLS (default gateway being MPLS NH) to perform your integration with the FMC.

2. You connect the FTD management interface on the LAN side, in the same VLAN and subnet as one of the FTD's LAN data interfaces, default gateway being the FTD (in this case, as the management traffic between FTD and FMC will pas through FTD's data plane, ensure to match this traffic within a prefilter policy on the FTD)

While both options will do the job, and both have pros and cons, it is generally speaking more convenient to use the first option, using data interface for management, this is why thus capability has been added to FTD, to meet such design requirements. Especially this being a private connection, aka MPLS, there's less risk on exposing the FMC subnet / IPv4 address within the MPLS routing domain, as opposed to this being an Internet connection.

Thanks,

Cristian.

dianawinsky · ‎01-07-2026

Is there any need configuration on the fmc? I mean to be accessible in other locations?

Cristian Matei · ‎01-07-2026

Hi,

The FMC will only have a default route, thus through that default route the NH needs to provide both Internet connectivity for content updates, as well as IP connectivity towards the IP addresses of the FTD's that it manages. So it's the NH router / layer 3 device providing this connectivity, no special / extra configurations on the FMC side.

Thanks,

Cristian.

dianawinsky · ‎01-07-2026

Meaning, i dont need separate IP for fmc to be reachable to ftd in another location?

If yes, do you have example config?

Cristian Matei · ‎01-07-2026

Hi,

You don't need separate IP's on the FMC; while this is an option, you add complexity in your setup for no reason, unless you have some routing restrictions that I'm not aware of. As long as the your routing domain routes the FMC's subnet to be reachable by all FTD's as well as it provides Internet access for the FMC, a single interface on the FMC is sufficient.

Here's, using some older GUI, but you will figure it out, examples of using either the management interface of the FTD, or the data-interface of the FTD to integrate it with the FMC:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222145-configure-manager-access-on-ftd-from-man.html

Thanks,

Cristian.

dianawinsky · ‎01-07-2026

Current configured for outside interface of ftd 1 is in NAT. Fmc is behind ftd 1.

Cristian Matei · ‎01-08-2026

Hi,

If the IPv4 address of the FMC is routable on the outside interface (which seems to be private MPLS connection and you can make it happen), you need to exclude from NAT your FMC to FTD traffic, via twice NAT in the before auto section (you also need to allow bidirectional TCP 8305 traffic via pre-filter policy). In this case, the FTD will register to the real IPv4 address of the FMC, the one configured on the FMC NIC.

If the IPv4 address of the FMC is NOT routable on the outside interface, or you don't want to make it routable, you can make a static TCP NAT configuration for TCP port 8305 using twice NAT, for traffic between FMC and FTD's (you also need to allow bidirectional TCP 8305 traffic via pre-filter policy). In this case, the FTD will register to the NAT'ed IPv4 address of the FMC, so NOT the one configured on the FMC NIC. You must use the NAT key setting when performing FTD to FMC registration in this case.

Thanks,

Cristian.