cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3018
Views
0
Helpful
5
Replies

FTD Management Access over VPN

sddherai1
Level 1
Level 1

Gentlemen,

 

We are trying to deploy a FTD 5506W-X at a branch site running code 6.2.3, managed by on-the-box FDM. I stress on FDM since, it is manageable over the data interfaces.

 

The goal is to manage the device remotely over a site-to-site VPN tunnel back to HQ where all NMS solutions reside.

 

(Branch) FTD 6.2.3----vpn----ASA 9.8 (HQ)

 

Challenge:

 

HTTPS/SSH access on inside interface, in this case BVI1 which the other interfaces are a part of.

We are not able to access either of these ports on any FTD interfaces over the VPN. However, we are able to do so locally.

 

Please do let us know if someone has been able to implement this successfully.

5 Replies 5

michoudi
Level 1
Level 1
I believe on FTD firmware you can only manage on the same interface you arrive on. Can you try enabling management access on the outside interface with an ACL to only allow your NMS?

Well, that certainly works. However, we wouldn't really want SNMP v2 over the internet.

 

We're trying to get SNMP v3 to work using FlexConfig, because they haven't gotten that to the UI yet.

 

So, bottom line, one cannot manage FTD over the VPN?

 

Its hard to understand why Cisco would shutdown 5505, without having migrated everything to the newer platform?

You can manage FTD over VPN. Maybe not exactly the way you're looking to do it, but you can do it.

Another option is to manage it using the dedicated management interface instead of the data interface. This method wouldn't be restricted by having to enter from the same interface you're trying to manage, that only applies if you're managing using the data interfaces.

I think I understand you partially. Let me know if I understood you right.

1. So, I can manage using the Management Interface IFF it is connected to a downstream switch. Sure I can do it but most certainly an added cost.
2. I manage using FMC. Again license required for a managed node.
Goal was to have solution (Firewall, Switch, AP (it's a 5506W-X)) in a BOX.

Poliberte
Level 1
Level 1

Hello, One way you can manage your device over the VPN is to route the management interface on another device such as a core switch.

 

something like.

site A ---VPN---siteB--Core(L3 device) ---FTD management interface.

Then you can manage it as a host at site B.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: