Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20333
Views
36
Helpful
19
Replies

FTD registering to FMC scenario

Go to solution
tellis002
Spotlight
Spotlight

‎09-23-2016 07:48 AM - edited ‎02-21-2020 05:55 AM

Afternoon everyone,

I have a project, involves one FMC appliance, and I will be joining about 14 5506x's (FTD image) to the server.  So the sites that will be getting the 5506x with the FTD image, they just have a basic internet connection, no vpn tunnel, etc.  

So, with that information, how should i go about registering the 5506x's to the FMC server?  I mean, to make any configuration's to the 5506x you have to have it registered to the FMC.  But, before i send out the 5506x to the remote site, i need to get the following configuration below configured on the 5506x.

Basic configuration of 5506x:

- outside interface dhcp setroute

- inside interface static IP address

- PAT

- no access allowed inbound

Ideas:  pre-register the 5506x, via management interface with it being local on the site where the FMC is located.  Make my configurations on the 5506x.  Than ship the 5506x out, it gets the dhcp setroute, static inside IP address is configured, PAT, etc. everyone internally has internet.  Than someone local on that site, would have to inform me what their public IP address is, i could than ssh to the outside of the 5506x FTD image, delete the configure manager add command (as the previous command would reference a private IP address and of course wouldn't find the FTD at that point due to no VPN tunnel, MPLS, etc.) and than re-configure the configure manager add using the NAT ID to the public IP address that would be nat'd at a different physical location to the FMC.  

Following, in the FMC, join the 5506x back using its own outside public IP address and re-deploy policies.  

:)  think that will work?  is there a better way to go about this?

Thanks! - Tony

1 person had this problem
19 Replies 19

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to tellis002

‎02-23-2017 05:36 AM

Just wanted to let you know why they dont support anything else at the moment. You could NAT the management address for a connection to FMC but if for whatever reason you would have to re-register your FTD device to FMC it would remove the static routes and nat configuration during the registration process, which will leave you with a device that cant receive configuration from the FMC because it deleted the required network configuration.

I talked with an engineering lead about this in december and they are working on a solution, but at the moment we can only work around this issue with the methods you posted. 

Go to solution
tellis002
Spotlight
Spotlight
In response to Oliver Kaiser

‎02-23-2017 05:39 AM

Yeah that is exactly what i found in my testing.  Was very confusing with what was happening but i could confirm it all by going into the back end of the FTD and getting into the ASA cli and doing some show commands.

Sure enough, nats, etc, the device was breaking itself so it couldn't finish.  

0 Helpful

Go to solution
bstewart
Level 1
Level 1
In response to Oliver Kaiser

‎03-23-2018 11:57 PM

As of a year later (March 2018) and Version 6.2.3 (at least, the beta as of a month ago), there was still no good solution. You need either an extra network or a separate NAT device (which could be a cheap Linksys or equivalent, or could be NAT functions on your Internet router if you have a spare port.)

 

It's possible to configure the FTD using DHCP for the management port, if you're careful enough, so that you can set it up with the FMC at HQ, then ship it out and plug it all back in, but you still have to use the FTD to provide the NAT for the management port, so if that ever gets messed up (say, because you deployed a bad configuration) you don't have a way to fix it remotely.

0 Helpful

Go to solution
ramos1
Level 1
Level 1
In response to bstewart

‎05-30-2018 08:21 AM

I hope Cisco is watching this thread.  I've struggled with this problem in a lab environment and arrived more or less at the same solutions mentioned above.  I've burned too much time trying to figure something out that should be straightforward.  Furthermore, I do not find these "solutions" acceptable.  Its quite baffling that this is still an issue.  Very disappointing.

0 Helpful

Go to solution
Edgar Almonte
Level 1
Level 1
In response to ramos1

‎08-21-2018 07:17 PM

What if you change the flash to ASA instead of FTD and then you can use the ASA to do a site to site VPN. You can assign the SFR module an IP address on the inside network and use that IP to connect to your FMC. Your FMC would be on the other end of the VPN tunnel and it would use the inside IP of the SFR module to manage  it.

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200321-Management-of-SFR-Module-Over-VPN-Tunnel.html

 

HTH Edgar

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card