Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
997
Views
5
Helpful
4
Replies

FMC management on 1010 with PPPoE (S2S VPN hack/workaround?)

curtis.rumble
Level 1
Level 1

‎11-21-2022 09:44 AM

Hi,

We went to configure up some 1010 firewalls last week with PPPoE and FMC management, however stumbled across this brilliant lack of feature from Cisco:

"PPPoE is not supported. If your ISP requires PPPoE, you will have to put a router with PPPoE support between the threat defense and the WAN modem."

Whilst we can configure PPPoE as on the WAN interface we cannot manage the firewall via FMC from this interface. Purchasing another router just to be able to manage them remotely seems crazy. Our partner has spoke with their Cisco rep and Cisco have said they aren't going to be implementing this feature? Can anyone add any further light to this?

My thoughts are that we could use the existing Watchguard with VPN back to Head Office, set the MGMT port on the 1010 to a local IP address 172.16.x.x, configure it via FMC down the existing Watchguard VPN tunnel, then switch over to the 1010 with the PPPoE connection, S2S VPN back to the head office FW and managed by FMC via the MGMT port patched into the local subnet. Therefore the MGMT traffic is being tunnelled down the VPN and is remotely managed by FMC. Has anyone tried this before?

My thoughts are if we get any issues we could create an 'Extranet' VPN from FMC to a router or old firewall to create the VPN tunnel, manage the 1010 to get it back up and running again.

Pretty dirty workaround but Cisco seem to have us over a barrel with this one. Has anyone else found a way round this thundercracker?

Thanks

Curtis 

4 Replies 4

Marius Gunnerud
VIP
VIP

‎11-21-2022 11:58 PM

What version FMC/FTD are you running?  PPPoE is supported as of 6.6.x and later if memory serves me correct.  We have an FTD 1010 running 7.2.0 where PPPoE is supported.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

curtis.rumble
Level 1
Level 1
In response to Marius Gunnerud

‎11-22-2022 12:14 AM

We're running the latest 7.2.1, PPPoE is configurable for the WAN interface but FMC management can't be used on this interface, which seems madness considering all other vendors do support management on the external interface. Going to have a look at this today and see if I can get management traffic following down the VPN tunnel.
0 Helpful

Marco Wetzel
Level 1
Level 1
In response to curtis.rumble

‎03-23-2023 01:34 AM

May I ask you if you was able to solve the problem?

I have the same issue.... Firepower 1010 behind a ISP-Modem connected with PPPoE. When I connect via VPN to the Firewall I can manage all devices behind the Firewall, but not the Firewall... When no using PPPoE (other customer) it is possible to connect to the outside-Interface for Management when the VPN-Pool is set for the Outside-Interface for Management... But with PPPoE activated it don't seems working

0 Helpful

curtis.rumble
Level 1
Level 1
In response to Marco Wetzel

‎08-03-2023 04:55 AM

We ended up not going down this path as it wouldn't have been properly supported. Our supplier ended up giving us C1117P routers to fix it FoC.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card