Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1803
Views
0
Helpful
3
Replies

FTD's in different cities: FMC deployment: public or private IP?

Go to solution
jencisco001
Level 1
Level 1

‎08-27-2020 03:17 PM

I have a quick question about my unique situation with Firepower (FTD) devices at each city.
I purchased the FMC for 10 licenses. (Firepower Management Center). I have FMC set up locally at Hilton Head Island, South Carolina. I am wanting to manage all the FTD's in each city (Boston, Chicago, Pittsburgh, Birmingham, New York, Atlanta, and Miami) via one Web Dashboard... so that's why I did the FMC for 10 licenses for now. Because I have FMC locally now, it is on a private IP: 10.0.X.X/24. However, if I am going to add other cities that are connected via S2S VPN and deploy any config changes, would I create the FMC on a public IP for easier access?
 
I see two choices:
 
  1. FMC in each city has a local IP address and I deploy any changes via a S2S secure VPN. OR....
 
2. FMC in each city has a Public IP address and I deploy any changes via the Internet. This might be less secure.
 
What is the best practice? Has anyone had this situation?
Thanks in advance for any advice.
 
Kind Regards,
Jen
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-28-2020 04:52 AM

As @Rob Ingram noted the sftunnel is encrypted (TLS 1.2 over tcp/8305). Some people are reluctant to expose any management interface to the internet, even encrypted - perhaps with good reason because ...bugs. In that case your option 1 is preferable.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-27-2020 11:31 PM

Hi,

You could NAT the FMC behind the local FTD and manage the other FTD's over the internet, communication between FTD and FMC is secured and encrypted using the sftunnel.

 

HTH

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-28-2020 04:52 AM

As @Rob Ingram noted the sftunnel is encrypted (TLS 1.2 over tcp/8305). Some people are reluctant to expose any management interface to the internet, even encrypted - perhaps with good reason because ...bugs. In that case your option 1 is preferable.

0 Helpful

Go to solution
jencisco001
Level 1
Level 1
In response to Marvin Rhoads

‎08-28-2020 06:28 AM

Hi Marvin

 

Thanks for the reply. So, from your response, option #1 is preferred. 

I would keep FMC and FTD in each city on a local IP Address (Boston, Chicago, New York, Atlanta, Pittsburgh, Birmingham). Then, I would simply continue to use my Headquarters FMC at Hilton Head Island and add these 6 FMC devices in each city to it with their local IP's for one management web dashboard. ( I have purchased the licensing for this already). The S2S tunnels would be the way that configs are deployed from Hilton Head FMC to the individual Cities like Birmingham. 

 

I am just typing this out to make sure I understand. There are no Public IP's for any FMC or FTD, correct?

 

Much appreciated,

Jen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card