02-01-2021 07:49 AM - edited 02-01-2021 07:49 AM
Hi,
I'm confused as to how to manage a remote FTD device using FMC located at another site:
FTD (site 1) --- VPN --- [ASA w/ FP --- FMC] (site 2)
With ASA I would select a "management" interface to manage the ASA over the VPN tunnel, but how do I accomplish this with FTD?
FTD is the only device at site 1 and will be responsible for the VPN tunnel to site 2.
Thank you,
Solved! Go to Solution.
02-01-2021 09:37 AM
From FTD 6.7 you can configure a data interface for management purposes, so no need for a dedicated management interface.
More information:-
02-01-2021 09:46 AM - edited 02-01-2021 09:50 AM
you can use a data interface as both the WAN & management of the device. This would allow you to only use a single IP address at the remote location for the FTD. There are some drawbacks:
Commands:
> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]:
IP address (manual / dhcp) [dhcp]:
DDNS server update URL [none]:
Do you wish to clear all the device configuration before applying ? (y/n) [n]:
Configuration done with option to allow FMC access from any network, if you wish to change the FMC access network
use the 'client' option in the command 'configure network management-data-interface'.
Setting IPv4 network configuration.
Network settings changed.
02-01-2021 09:01 AM - edited 02-01-2021 09:03 AM
FTD devices have a management interface that is used to talk with (and be managed by) the Firepower Management Center (FMC). You can manage a remote FTD in one of two ways:
1. FTD must have a static IP address for it's management interface that the FMC can reach. In this case you would actually need two static IP addresses from the ISP; one for the management interface and one for the data interface. This sometimes isn't an option and DHCP is the only way to address the FTD. In that case, refer to option 2.
2. The FMC must have a static NAT address that the FTD can reach. This option also requires a firewall rule allowing traffic destined for TCP 8305 from your OUTSIDE zone to the INSIDE zone (or where ever the FMC lives).
I'm going to go with option 2 and assume that a static NAT address has already been created for the FMC as 1.2.3.4.
Connect the remote FTD's management interface into the ISP to get an IP address via DHCP (if you have a static IP then that will work too. I'm assuming you might not have one.) Verify you have an address with the following command:
> show network (output omitted...) -----------------------[ IPv4]----------------------- Configuration : DHCP Address : 4.3.2.1 Netmask : 255.255.255.0 Broadcast : 4.3.2.255
The management interface will respond to pings if you need to ping it for troubleshooting.
On the remote FTD, you'll use the command "configure manager add [FMC public IP] [password] [NAT-ID]. The NAT-ID will be different for all remote FTD's that you manage in this way.
> configure manager add 1.2.3.4 MyS3cretP@ssword 12345
On the FMC, add the remote FTD using the same password and NAT-ID but do not fill in the "Host" field unless you assigned a static IP address to the FTD's management interface. This is because the FMC is waiting for the FTD to initiate the connection. Be sure to click the Register button and wait. The FTD should show up in the FMC and you can start configuring it from there to get connectivity and the VPN established back to the main site.
02-01-2021 09:31 AM
Hi Tyson,
Thank you for the quick reply, what you're saying makes perfect sense.
If I have a single Internet IP address (DHCP assigned from ISP NAT router) will I be able to connect both the Management and Data interfaces to the ISP router (both receiving a RFC 1918 IP address) and still connect back to FMC for FTD management and VPN tunnel establishment?
Thanks,
02-01-2021 09:37 AM
From FTD 6.7 you can configure a data interface for management purposes, so no need for a dedicated management interface.
More information:-
02-01-2021 09:46 AM - edited 02-01-2021 09:50 AM
you can use a data interface as both the WAN & management of the device. This would allow you to only use a single IP address at the remote location for the FTD. There are some drawbacks:
Commands:
> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]:
IP address (manual / dhcp) [dhcp]:
DDNS server update URL [none]:
Do you wish to clear all the device configuration before applying ? (y/n) [n]:
Configuration done with option to allow FMC access from any network, if you wish to change the FMC access network
use the 'client' option in the command 'configure network management-data-interface'.
Setting IPv4 network configuration.
Network settings changed.
02-01-2021 10:32 AM
Hi Tyson,
This only works for 6.7 and later, I'm currently running 6.6.1. Back to my previous question, can I manage and bring up a VPN tunnel using a single IP address from ISP NAT router (using single dynamic IP address)?
Thank you,
02-01-2021 10:51 AM
Yes
02-01-2021 12:19 PM
Thanks Tyson
11-17-2022 05:04 AM
Hi Tyson
if the only WAN interface I have got was PPPoE without router, can I configure one of the internal interfaces to a manage interface and setup a site-to-site VPN between the remote site and HQ, by using that PPPoE interface. and using routing to allow that management subnet routable to the FMC.
with internal interface FTD (site 1 PPPoE) --- VPN --- [FTD --- FMC] (site 2)
02-21-2024 12:16 PM
Hi Tyson,
In my situation i have remote FTDs using Inside Interface IP as Mgmt IP ( in other works FTD Mgmt IP is from Encryption Domain at remote end ) , since HQ FMC is reaching Remote FTD after VPN is established. Is Kind of a Chicken and Egg situation.
To improve I am planning to reconfigure Remote FTD Outside Interface and Mgmt Interface as well. But for FTD to talk to HQ FMC there is a 1 to 1 NAT required right ? so it can reach Internet facing FMC IP from FTD WAN-Data-Mgmt Interface.
While doing how we can maintain security ? Reason I ask is this way we are exposing Mgmt Interface over Internet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide