Re: FTD management over Internet

hoffa2000 · ‎11-03-2021

Greetings

I have a scenario where my FTDs are only reachable for management by the FMC over Internet. The FTDs are running HA so data interface access isn't an option. I assume data in transit is properly encrypted but how do I secure access to the FTD management interface? I have yet to find an ACL option for the actual management interface, I'm thinking about using black-hole routing but it seems kind of cheap.

Regards

Fredrik

balaji.bandi · ‎11-03-2021

i would put management in different VLAN, Do NAT on Internet Router with Public to Private IP, if you know FMC Public IP, then i will restrict with ACL to allow only FMC IP contacting FTD.

Since if you do not have option to deploy Lan, if you have only option to communicate from External Internet.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hoffa2000 · ‎11-03-2021

Hi

Thank you for the answer. As I don't have any control over our Internet router I'd like to look into the ACL option. How is that done?

/Fredrik

balaji.bandi · ‎11-03-2021

if the Internet Router does not do NAT, then how will an external connection establish to FTD, that fails - since Manangment is RFC1918 address (that was my impression) or Do you have Public IP configured on Manangment?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hoffa2000 · ‎11-03-2021

Ah, I might have forgotten that piece of information. My management interfaces have public IPs.

I found the CLI settings ssh-access-list and https-access-list which seems to do the trick for SSH access but what about SNMP?

/Fredrik

balaji.bandi · ‎11-04-2021

Why do you need SNMP over Public? if you are intent to use try SNMPv3, also the same ACP rule you can apply.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

hoffa2000 · ‎11-12-2021

Hi

I don't that's the thing. I ONLY want FMC management on my Internet connected management interface.

/Fredrik