Re: FTD Initial Config

ssan239 · ‎01-25-2023

Hi All,

We are going to setup a FTD 2110 in a remote site which will have only internet connectivity.

> We need to manage the FTD over Internet facing interface.(BOTH MANAGEMENT AND DATA INTERFACE IS SAME) that is the public interface.

> FTD is a new box without any config on it. So we need to configure it from scratch(WILL GET THE CONSOLE ACCESS) site engineer will share the console.

> We have FMC managing all the FTDs over MPLS and the same FMC will be managing only this FTD over internet.(IS IT POSSIBLE OR ANY ISSUES WE HAVE HERE)?

> FMC do have internet access. So what would be the best way to initiate the configuration. This is the first time i am configuring the Data interface to act both as Mgmt and Data interface. So not really sure how easy this is to configure.

We use to configure the Mgmt Interface IP, Route, Gateway, DNS, NTP, FQDN, and the FMC details everything via console and connect it to the switch and get the access over the MPLS. Then configure the FMC Server with the new FTD details and establish the connectivity and will start the configuration.

As this new setup is not same as the old one. What would be the best approach when we get the console access. And how to get the mgmt connectivity.

Thanks in advance.

Regards,

Sanjay S

Rob Ingram · ‎01-25-2023

@ssan239 there is a cisco guide to configure the data interface for management, this includes the steps required.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/management-center-mgmt-nw/fmc-ftd-mgmt-nw.html#Cisco_Concept.dita_a3adf1ee-a270-4ff4-8b7b-3f9a3f4f1636

balaji.bandi · ‎01-25-2023

People do some time like this if they dont have any other mode of manangement access, while installation choose Managed by FMC

configure manager config, and same config apply in FMC see you can connect to FTD, once you connect to FTD make a Policy what IP address and interface you looking for manangement access.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marius Gunnerud · ‎01-25-2023

> We need to manage the FTD over Internet facing interface.(BOTH MANAGEMENT AND DATA INTERFACE IS SAME) that is the public interface. The one thing to be aware of here is that the FMC is most likely behind a NAT device so be sure to specify a unique NAT ID when setting up the connection between FMC and FTD.

> FTD is a new box without any config on it. So we need to configure it from scratch(WILL GET THE CONSOLE ACCESS) site engineer will share the console. When configuring the data interface for management access for FMC you will be asked for the IP address and default gateway. Once you have configured this, you should be good to go to connect with the FMC.

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/device_management_basics.html#Cisco_Concept.dita_a3adf1ee-a270-4ff4-8b7b-3f9a3f4f1636

Example:


> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]: internet
IP address (manual / dhcp) [dhcp]: manual
IPv4/IPv6 address: 10.10.6.7
Netmask/IPv6 Prefix: 255.255.255.0
Default Gateway: 10.10.6.1
Comma-separated list of DNS servers [none]: 208.67.222.222,208.67.220.220
DDNS server update URL [none]:
Do you wish to clear all the device configuration before applying ? (y/n) [n]:

Configuration done with option to allow FMC access from any network, if you wish to change the FMC access network
use the 'client' option in the command 'configure network management-data-interface'.

Setting IPv4 network configuration.
Network settings changed.

> We have FMC managing all the FTDs over MPLS and the same FMC will be managing only this FTD over internet.(IS IT POSSIBLE OR ANY ISSUES WE HAVE HERE)? How the FTD devices are reachable doesn't matter, what matters is that they ARE reachable on the interface IP they are to be managed on.

> FMC do have internet access. So what would be the best way to initiate the configuration. This is the first time i am configuring the Data interface to act both as Mgmt and Data interface. So not really sure how easy this is to configure. First configure the Management interface on the FTD, then configure the data interface to be a management interface (configure network management-data-interface), next configure the FTD for management from FMC (configure manager add 1.2.3.4 <shared-key> <NAT-ID>), finally configure the FMC to manage the FTD by the public IP

--
Please remember to select a correct answer and rate helpful posts

ssan239 · ‎01-30-2023

Thank you very much for the detailed explanation on the queries raised.

Got most of the info required, also one doubt in the last answer shared. You mentioned that to configure the Mgmt Interface first and then configure the data interface to be data interface i am bit confused with this statement.

First configure the Management interface on the FTD, then configure the data interface to be a management interface (configure network management-data-interface)

May i get more clarification on this please.

Regards,

Sanjay S

Marius Gunnerud · ‎01-30-2023

Even though you do not intend to use the Management interface to manage the FTD you must configure an IP on the management interface. The document I posted a link to above provides some explanation to this but here is also my take on it combined with a little of what is stated in the document.

If you lose access to the data interface for management you can SSH to the management interface instead of having to connect with a console.
Even though you are using the data interface for management by FMC, other management traffic will be routed on the backplane, such as DNS. DNS will use the management interface to resolve FQDN.
The management interface must have a static IP because if it is set to DHCP, the default route for management traffic can be overwritten by settings from the DHCP server

If you look at the section "Complete the FTD Initial Configuration Using the CLI" in the link I posted it explains a litte more about the need for IP on the management interface.

--
Please remember to select a correct answer and rate helpful posts

ssan239 · ‎02-01-2023

Thank you Marius,

I will follow your valuable inputs. May be i will use the LAN range IP for the Management Interface config. And then Public IP address to configure the Data and Management interface to manage via FMC.

Waiting for the FTD to reach the site to configure it. In case of any more doubts or issues will post in the same thread.

Regards,

Sanjay S