Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3437
Views
0
Helpful
5
Replies

FTD Management Access over VPN

sddherai1
Level 1
Level 1

‎04-24-2018 02:08 PM - edited ‎02-21-2020 07:40 AM

Gentlemen,

 

We are trying to deploy a FTD 5506W-X at a branch site running code 6.2.3, managed by on-the-box FDM. I stress on FDM since, it is manageable over the data interfaces.

 

The goal is to manage the device remotely over a site-to-site VPN tunnel back to HQ where all NMS solutions reside.

 

(Branch) FTD 6.2.3----vpn----ASA 9.8 (HQ)

 

Challenge:

 

HTTPS/SSH access on inside interface, in this case BVI1 which the other interfaces are a part of.

We are not able to access either of these ports on any FTD interfaces over the VPN. However, we are able to do so locally.

 

Please do let us know if someone has been able to implement this successfully.

2 people had this problem
Labels:
0 Helpful
5 Replies 5

michoudi
Level 1
Level 1

‎04-26-2018 05:16 PM

I believe on FTD firmware you can only manage on the same interface you arrive on. Can you try enabling management access on the outside interface with an ACL to only allow your NMS?
0 Helpful

sddherai1
Level 1
Level 1
In response to michoudi

‎05-03-2018 02:06 PM

Well, that certainly works. However, we wouldn't really want SNMP v2 over the internet.

 

We're trying to get SNMP v3 to work using FlexConfig, because they haven't gotten that to the UI yet.

 

So, bottom line, one cannot manage FTD over the VPN?

 

Its hard to understand why Cisco would shutdown 5505, without having migrated everything to the newer platform?

0 Helpful

michoudi
Level 1
Level 1
In response to sddherai1

‎05-03-2018 02:16 PM

You can manage FTD over VPN. Maybe not exactly the way you're looking to do it, but you can do it.

Another option is to manage it using the dedicated management interface instead of the data interface. This method wouldn't be restricted by having to enter from the same interface you're trying to manage, that only applies if you're managing using the data interfaces.
0 Helpful

sddherai1
Level 1
Level 1
In response to michoudi

‎05-03-2018 02:22 PM

I think I understand you partially. Let me know if I understood you right.

1. So, I can manage using the Management Interface IFF it is connected to a downstream switch. Sure I can do it but most certainly an added cost.
2. I manage using FMC. Again license required for a managed node.
Goal was to have solution (Firewall, Switch, AP (it's a 5506W-X)) in a BOX.
0 Helpful

Poliberte
Level 1
Level 1

‎12-27-2018 04:40 PM

Hello, One way you can manage your device over the VPN is to route the management interface on another device such as a core switch.

 

something like.

site A ---VPN---siteB--Core(L3 device) ---FTD management interface.

Then you can manage it as a host at site B.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card