02-18-2021 09:29 AM
I have a remote site with a Cisco 1010 FirePower connected to our main datacentre via a Site-2-Site VPN....
The 1010 FTD is managed via the FMC located in our datacentre. I had to make a change to the DH groups on the VPN due to certain groups being deprecated in the latest version of FTD code 6.7....
Communication on tcp port 8305 between the FMC and FTD was NAT'ed to use the internet so if the VPN ever went down we could still manage the device... Unfortunately the NAT doesn't appear to work and the VPN has dropped meaning we have no remote management of the device.
After getting a remote worker to console onto the FTD I managed to get the running config and noticed the ikev2 policy was missing, this obviously hadn't deployed correctly when I made my DH group changes.
crypto ikev2 policy 1
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 21 20 19 14
prf sha512 sha384 sha256 sha
lifetime seconds 86400
Can anyone think of a way I add add this config in via a console connection.
02-18-2021 09:40 AM - edited 02-18-2021 09:45 AM
If you are managing the FTD using an FMC then you cannot change the configuration using console, only via the FMC.
Did you changed the policy, rather than adding a new one?
If you were managing the FTD over the VPN, then communication would be to the private/real IP address of the FMC not the NAT address right? You could remove the manager and re-add using the internet/NAT ip address.
02-18-2021 09:44 AM
The IKEv2 policy is missing on the remote FTD (above is the config missing). I have run packet tracer on the DC end and the NAT seems fine...
02-18-2021 09:52 AM - edited 02-18-2021 09:59 AM
I amend my post above at the same time you responded, so you may have missed some questions.
If the FMC communication was via a VPN, was the IP address of the FMC a private IP address?
Where was this NAT configured on the remote FPR1010 or the DC? How is that expected to work?
02-18-2021 10:07 AM
Looking at the NAT'ing at the remote FTD I think its the return traffic which is routing back over the S-2-S VPN because of a global NAT being above the FTD management one.....
I had thought of amending the running config of the remote FTD and upload to the startup config then doing a reload but I only have console connectivity....
02-18-2021 10:13 AM - edited 02-18-2021 10:14 AM
You cannot change the configuration locally of an FTD if it is configured to be managed via an FMC.
You can only manage the FTD via the FMC.
02-18-2021 11:12 AM
It's a bit a flaw in the design don't you think.......
Everyone makes mistakes from time-to-time and if you deploy a policy that may take the FTD offline for any reason, the only way to change the config back is to return it back to the datacentre and connect it locally to where the FMC is.... Or am I missing something...
02-18-2021 11:28 AM
For remote FTDs, I've always put the mgmt interface in the same network as the outside interface. Mgmt via the FMC would always be over the internet. You aren't reliant on an existing VPN nor configuring the device in a DC before deploying.
In 6.7 you can now manage the FTD using the data interface, so no need for a dedicated mgmt interface.
You also have other mgmt options, such as FDM (locally) or using CDO (cloud based).
02-18-2021 11:52 AM - edited 02-18-2021 11:53 AM
Hi Rob,
Thanks for your responses....
Can you expand on the first sentence above please???? I'm intrigued....
I will try to explain how ours is currently setup:
The Management interface is physically connected back into one of the standard interfaces, this interface is classed as the management network and given a local internal IP address)... Separate to the standard inside network....
On our DC FTD the FMC internal IP address is NAT'ed to a public IP address when traffic destined to the remote FTD's on tcp port 8305
At the remote end the NAT sees traffic from the FMC public NAT'ed address and translate it back to the internal management address.
I'm guessing from your above statement I maybe over complicating things....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide