Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1450
Views
10
Helpful
8
Replies

Remote configuration of a offline FirePower

rtromans01
Level 1
Level 1

‎02-18-2021 09:29 AM

I have a remote site with a Cisco 1010 FirePower connected to our main datacentre via a Site-2-Site VPN....

The 1010 FTD is managed via the FMC located in our datacentre. I had to make a change to the DH groups on the VPN due to certain groups being deprecated in the latest version of FTD code 6.7....

 

Communication on tcp port 8305 between the FMC and FTD was NAT'ed to use the internet so if the VPN ever went down we could still manage the device... Unfortunately the NAT doesn't appear to work and the VPN has dropped meaning we have no remote management of the device. 

 

After getting a remote worker to console onto the FTD I managed to get the running config and noticed the ikev2 policy was missing, this obviously hadn't deployed correctly when I made my DH group changes.

 

crypto ikev2 policy 1
encryption aes-gcm-256 aes-gcm-192 aes-gcm
integrity null
group 21 20 19 14
prf sha512 sha384 sha256 sha
lifetime seconds 86400

 

Can anyone think of a way I add add this config in via a console connection. 

 

 

8 Replies 8

Rob Ingram
VIP
VIP

‎02-18-2021 09:40 AM - edited ‎02-18-2021 09:45 AM

@rtromans01 

If you are managing the FTD using an FMC then you cannot change the configuration using console, only via the FMC.

 

Did you changed the policy, rather than adding a new one?

 

If you were managing the FTD over the VPN, then communication would be to the private/real IP address of the FMC not the NAT address right? You could remove the manager and re-add using the internet/NAT ip address.

rtromans01
Level 1
Level 1
In response to Rob Ingram

‎02-18-2021 09:44 AM

The IKEv2 policy is missing on the remote FTD (above is the config missing). I have run packet tracer on the DC end and the NAT seems fine...

 

0 Helpful

Rob Ingram
VIP
VIP

‎02-18-2021 09:52 AM - edited ‎02-18-2021 09:59 AM

I amend my post above at the same time you responded, so you may have missed some questions.

 

If the FMC communication was via a VPN, was the IP address of the FMC a private IP address?

Where was this NAT configured on the remote FPR1010 or the DC? How is that expected to work?

0 Helpful

rtromans01
Level 1
Level 1
In response to Rob Ingram

‎02-18-2021 10:07 AM

Looking at the NAT'ing at the remote FTD I think its the return traffic which is routing back over the S-2-S VPN because of a global NAT being above the FTD management one.....

 

I had thought of amending the running config of the remote FTD and upload to the startup config then doing a reload but I only have console connectivity....

0 Helpful

Rob Ingram
VIP
VIP

‎02-18-2021 10:13 AM - edited ‎02-18-2021 10:14 AM

You cannot change the configuration locally of an FTD if it is configured to be managed via an FMC.

You can only manage the FTD via the FMC.

0 Helpful

rtromans01
Level 1
Level 1
In response to Rob Ingram

‎02-18-2021 11:12 AM

It's a bit a flaw in the design don't you think.......

 

Everyone makes mistakes from time-to-time and if you deploy a policy that may take the FTD offline for any reason, the only way to change the config back is to return it back to the datacentre and connect it locally to where the FMC is.... Or am I missing something...

0 Helpful

Rob Ingram
VIP
VIP
In response to rtromans01

‎02-18-2021 11:28 AM

For remote FTDs, I've always put the mgmt interface in the same network as the outside interface. Mgmt via the FMC would always be over the internet. You aren't reliant on an existing VPN nor configuring the device in a DC before deploying.

 

In 6.7 you can now manage the FTD using the data interface, so no need for a dedicated mgmt interface.

 

You also have other mgmt options, such as FDM (locally) or using CDO (cloud based).

0 Helpful

rtromans01
Level 1
Level 1
In response to Rob Ingram

‎02-18-2021 11:52 AM - edited ‎02-18-2021 11:53 AM

Hi Rob,

 

Thanks for your responses....

 

Can you expand on the first sentence above please???? I'm intrigued....

 

I will try to explain how ours is currently setup:

 

The Management interface is physically connected back into one of the standard interfaces, this interface is classed as the management network and given a local internal IP address)... Separate to the standard inside network.... 

 

On our DC FTD the FMC internal IP address is NAT'ed to a public IP address when traffic destined to the remote FTD's on tcp port 8305

 

At the remote end the NAT sees traffic from the FMC public NAT'ed address and translate it back to the internal management address.

 

I'm guessing from your above statement I maybe over complicating things.... 

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card