cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
742
Views
3
Helpful
16
Replies

Remote FTD to get managed from FMC through internet

titusroz03
Level 1
Level 1

We have a requirement for managing a FTD from FMC trough internet, since our corporate network is bit slow for management purposes.

My Setup is like below, our FMC is in one HQ-DC and it doesn't have any NAT to communicate or to be accessed from internet. And remote ftd management interface doesn't have neither.

titusroz03_0-1738905677927.png

I just want to get clarified what are all the steps to have this mgmt connectivity for FTD to FMC through internet cloud. Could anyone help me with this..?

 

16 Replies 16

@titusroz03

Create a static NAT on the Firewall in front of the FMC and permit the communication from the internet tcp/8305 (lock it down to the remote source IP addresses).

Setup the remote FTD using the data interface as it's mgmt interface for communication with the FMC.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/740/management-center-device-config-74/get-started-device-management.html#task_imq_yw3_b3b

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215540-configure-verify-and-troubleshoot-firep.html

 

@Rob Ingram Create a static NAT for FMC i.e it must be a bi-directional NAT right..? And regarding the port, does it requires only TCP-8305 or any additional ports required..?

And for the FTD,is it advisable or preferable to use Data interface instead of mgmt,because I was planning to configure public IP on the MGMT interface of FTD and make it registered to FMC once it is configured like above.

@titusroz03 yes bi-directional NAT. You will require tcp/8305 between FMC and FTD to establish secure communication.

You may wish to permit SSH/SNMP etc for mgmt of the remote FTD.

It would be easier using the data interface for mgmt, but if you have a spare public IP address for the dedicated mgmt interface then you could use that.

Just to add here what @Rob Ingram mentioned you can you Data Interface instead of mgmt official document from cisco Here you can optionally configure the device to use a data interface for management instead of the dedicated Management interface, The FMC access on a data interface is useful if you want to manage the Firepower Threat Defense remotely from the outside interface, or you do not have a separate management network. This change has to be performed on the Firepower Management Center (FMC) for FTD managed by FMC.

 

please do not forget to rate.

titusroz03
Level 1
Level 1

@Rob Ingram @Sheraz.Salim Thanks for your replies., I was thinking to use a MGMT interface for public access towards FMC, but after your comments it wouldn't be bad idea for utilizing one of the Data interfaces dedicated for Management purpose.

But I have a doubt, once in the intial process FTD will allow to configure only the mgmt interface and once we get the FDM access through that interface we can start configuring other interfaces right..?

And my other doubt is can I have the same kind of bidirectional NAT in remote FTD were I can configure private IP on the Data interface used for management and NAT it to public for the access.

@titusroz03 once you've established connectivity to the FMC via the data/mgmt interface, then you can configure the remaining data interfaces and policies etc.

1- using data interface to connect ftd to fmc not meaning that this data interface will not be use for data' it can use for data and mgmt

2- use outside data interface to make fmc access to remote brachs ftd

3- since fmc is connect to private (behind HQ ftd) ypu need to use NAT for tcp 8305 and open it 

MHM

 

titusroz03
Level 1
Level 1

@MHM Cisco World @Rob Ingram Thanks for the inputs, So I can have same Outside interface for Data/MGMT anf create SF tunnel and S2S VPN tunnel on the same interface correct..? In this scenario I want to locally offload some internet and voice destinations instead of my VPN which is Route based (VTI). So putting static routes for those destinations was my plan,now along with those I have to add FMC's public ip as well. Correct me if this wrong.

 

@titusroz03 yes the data interface (outside interface) can be used for mgmt traffic in addition to the data traffic.

You will need static/dynamic routes for traffic over the VTI, the rest of the traffic can break out locally and be routed via the default route.

You have some basic SDWAN capabilities, where you can route some applications via DIA and the rest of the traffic over the route based VTI. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/760/management-center-device-config-76/sd-wan-capabilities.html

 

@Rob Ingram I could see the SD WAN capabilities are based of applications,but here I want route a certain application called ringcentral. How can I check if this application is availble for DIA access like youtube or webex as shown in those examples..?

If that is not available then can I add a certain *internet destinations in PBR for DIA..?

@titusroz03 not all applications are predefined. Application based Policy Based Routing (PBR) uses DNS Snooping to map the application domains to IP addresses. So determine what domain names are used by your application and configure accordingly.

Do you actually need DIA though, will you not have a default route to the internet via the outside interface and DC networks via the VTI?

I have a BGP overlay between hub and branch, were a default -orginate at HUB device attracts all the traffic through tunnel. Only some certain destinations will be offloaded through DIA.

Correct' config static route for fmc IP via WAN not via VTI.

MHM

titusroz03
Level 1
Level 1

@Rob Ingram @MHM Cisco World  Could you help me with any Documents or Blogs stating that this SFtunnel through internet medium design is secured and about the encryption parameters on the SF tunnel.I can see from the documentation that it is TLS tunnel. But if I can have more info, it would be helpfull. I have lot of questions from my Security Team regarding this design.Appreciate your help on this.

Review Cisco Networking for a $25 gift card