cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5399
Views
5
Helpful
9
Replies

FTD Management using FMC over VPN

ste.ant
Level 1
Level 1

Hi,

 

I'm confused as to how to manage a remote FTD device using FMC located at another site:

 

FTD (site 1) --- VPN --- [ASA w/ FP --- FMC] (site 2)

 

With ASA I would select a "management" interface to manage the ASA over the VPN tunnel, but how do I accomplish this with FTD?

 

FTD is the only device at site 1 and will be responsible for the VPN tunnel to site 2.

 

Thank you,

Steve
2 Accepted Solutions

Accepted Solutions

@ste.ant 

From FTD 6.7 you can configure a data interface for management purposes, so no need for a dedicated management interface.

 

More information:-

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

View solution in original post

you can use a data interface as both the WAN & management of the device. This would allow you to only use a single IP address at the remote location for the FTD. There are some drawbacks:

  • Routed firewall mode only
  • High Availability is not supported
  • Clustering is not supported
  • PPPoE is not supported

Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-nw.html#Cisco_Concept.dita_a3adf1ee-a270-4ff4-8b7b-3f9a3f4f1636

Commands:

> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]:
IP address (manual / dhcp) [dhcp]:  
DDNS server update URL [none]: 
Do you wish to clear all the device configuration before applying ? (y/n) [n]:

Configuration done with option to allow FMC access from any network, if you wish to change the FMC access network 
use the 'client' option in the command 'configure network management-data-interface'.

Setting IPv4 network configuration.
Network settings changed.

 

View solution in original post

9 Replies 9

TJ-20933766
Spotlight
Spotlight

FTD devices have a management interface that is used to talk with (and be managed by) the Firepower Management Center (FMC). You can manage a remote FTD in one of two ways:

1. FTD must have a static IP address for it's management interface that the FMC can reach. In this case you would actually need two static IP addresses from the ISP; one for the management interface and one for the data interface. This sometimes isn't an option and DHCP is the only way to address the FTD. In that case, refer to option 2.
2. The FMC must have a static NAT address that the FTD can reach. This option also requires a firewall rule allowing traffic destined for TCP 8305 from your OUTSIDE zone to the INSIDE zone (or where ever the FMC lives).

I'm going to go with option 2 and assume that a static NAT address has already been created  for the FMC as 1.2.3.4.

Connect the remote FTD's management interface into the ISP to get an IP address via DHCP (if you have a static IP then that will work too. I'm assuming you might not have one.) Verify you have an address with the following command:

> show network
(output omitted...)
-----------------------[ IPv4]-----------------------
Configuration              : DHCP
Address                    : 4.3.2.1
Netmask                    : 255.255.255.0
Broadcast                  : 4.3.2.255

The management interface will respond to pings if you need to ping it for troubleshooting.

On the remote FTD, you'll use the command "configure manager add [FMC public IP] [password] [NAT-ID]. The NAT-ID will be different for all remote FTD's that you manage in this way.

> configure manager add 1.2.3.4 MyS3cretP@ssword 12345

On the FMC, add the remote FTD using the same password and NAT-ID but do not fill in the "Host" field unless you assigned a static IP address to the FTD's management interface. This is because the FMC is waiting for the FTD to initiate the connection. Be sure to click the Register button and wait. The FTD should show up in the FMC and you can start configuring it from there to get connectivity and the VPN established back to the main site.

Hi Tyson,

 

Thank you for the quick reply, what you're saying makes perfect sense.

 

If I have a single Internet IP address (DHCP assigned from ISP NAT router) will I be able to connect both the Management and Data interfaces to the ISP router (both receiving a RFC 1918 IP address) and still connect back to FMC for FTD management and VPN tunnel establishment?

 

Thanks,

Steve

@ste.ant 

From FTD 6.7 you can configure a data interface for management purposes, so no need for a dedicated management interface.

 

More information:-

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

you can use a data interface as both the WAN & management of the device. This would allow you to only use a single IP address at the remote location for the FTD. There are some drawbacks:

  • Routed firewall mode only
  • High Availability is not supported
  • Clustering is not supported
  • PPPoE is not supported

Source: https://www.cisco.com/c/en/us/td/docs/security/firepower/misc/fmc-ftd-mgmt-nw/fmc-ftd-mgmt-nw.html#Cisco_Concept.dita_a3adf1ee-a270-4ff4-8b7b-3f9a3f4f1636

Commands:

> configure network management-data-interface
Data interface to use for management: ethernet1/1
Specify a name for the interface [outside]:
IP address (manual / dhcp) [dhcp]:  
DDNS server update URL [none]: 
Do you wish to clear all the device configuration before applying ? (y/n) [n]:

Configuration done with option to allow FMC access from any network, if you wish to change the FMC access network 
use the 'client' option in the command 'configure network management-data-interface'.

Setting IPv4 network configuration.
Network settings changed.

 

Hi Tyson,

 

This only works for 6.7 and later, I'm currently running 6.6.1. Back to my previous question, can I manage and bring up a VPN tunnel using a single IP address from ISP NAT router (using single dynamic IP address)?

 

Thank you,

Steve

Yes

Thanks Tyson

Steve

Hi Tyson 

 

if the only WAN interface I have got was PPPoE without router, can I configure one of the internal interfaces to a manage interface and setup a site-to-site VPN between the remote site and HQ, by using that PPPoE interface. and using routing to allow that management subnet routable to the FMC.

with internal interface FTD (site 1 PPPoE) --- VPN --- [FTD --- FMC] (site 2)

@TJ-20933766  

Hi Tyson,

In my situation i have remote FTDs using Inside Interface IP as Mgmt IP ( in other works FTD Mgmt IP is from Encryption Domain at remote end ) , since HQ FMC is reaching Remote FTD after VPN is established. Is Kind of a Chicken and Egg situation. 

To improve I am planning to reconfigure Remote FTD Outside Interface and Mgmt Interface as well. But for FTD to talk to HQ FMC there is a 1 to 1 NAT required right ? so it can reach Internet facing FMC IP from FTD WAN-Data-Mgmt Interface. 

While doing how we can maintain security ? Reason I ask is this way we are exposing Mgmt Interface over Internet.

 

Review Cisco Networking for a $25 gift card