08-06-2020 06:47 AM
We are upgrading all of our 5506x devices to FPR 1010 in the very near future.
I would like to be able to manage the access policies with my FMC the same way we do with our 5506 devices
My FMC is on my LAN inside the corporate office.
if you tell an FPR 1010 to become managed by your FMC, do you have to build the VPN tunnels in FMC, or are they still managed from the device like the ASA is?
here's my current configuration summary
ASA 5516 -> outside facing
ASA 5506 -> connect via IKEv2 tunnel to ASA 5516 outside interface
the sfr modules on the 5506 devices talk through the Ikev2 tunnel to the FMC to get their policies.
I don't know how I would build a VPN tunnel with FMC if it's inside the LAN behind the 5516
thanks for any advice.
Lee
08-06-2020 06:56 AM - edited 08-06-2020 06:59 AM
Hi,
Assuming you run the FTD software on the FPR1010 instead of ASA software, then all configuration interfaces, routing, VPN etc is configured on the FMC (unless you use FMD for local management or CDO for cloud based management).
If you place the FPR1010 behind another firewall you'd have to permit inbound traffic (udp/500, udp/4500, esp) through the 5516. Instead of doing that, why not replace the 5516 with the FPR1010? Running FTD software you get all the latest NGFW features.
HTH
08-06-2020 07:18 AM
the 5516 is my main corporate firewall used for everything. I don't think an FPR1010 would be able to handle the traffic a 5516x would.
it connects all of my remote offices to corporate, is the main anyconnect portal, has two outside interfaces going to 2 different ISPs, a DMZ, etc,etc...
it also has 3 offices that run asa 5508 connected to it.
that device is not going to be replaced.
I am running FTD on my one FPR1010 that I currently have.
I've setup a test VPN Tunnel as if it was in one of the "home offices" that some of my employees have. I used the FTD on the device to configure that, but I want to use my FMC to be able to manage the traffic policies. this is the way the 5506 devices are configured.
08-06-2020 07:38 AM
08-06-2020 08:05 AM
I don't think you are seeing my point (unless I don't understand)
I would like the VPN portion of the FPR1010 to run locally, and manage the policies by the FMC.
I don't know how I would point a remote FPR 1010 to my internal FMC to build a VPN Tunnel.
08-06-2020 08:11 AM - edited 08-06-2020 08:19 AM
Ok. The FMC will only manage all the configuration for the FTD. You don't terminate the VPN on the FMC, when you run the VPN wizard on the FMC you define the FTDs to setup a VPN tunnel between - the remote 1010 and the local 1010. The FMC just configures the devices and pushes out the configuration.
Example:-
08-07-2020 02:02 PM
I will try all of this in a lab next week.
problem is, my 1010 doesn't terminate to another 1010. it terminates to an asa 5516x with firepower.
all I want to do is run the VPN via the local device, and manage the policies with FMC.
if that won't work I'll probably need another 1010 to terminate all of my 1010 devices and keep my ASA devices on a different public IP.
08-07-2020 09:42 AM
Is the question how you'd manage the FTD appliance via the FMC that's across a vpn when you have to build the vpn from within the FMC and push it out to the FTD so it knows how to build the tunnel (sort of the chicken and the egg scenario)? If you have a spare public ip at each location you could manage the FTD via that ip. If that's not possible you might be able to get away w/ configuring the device using a temp ip on your lan, just use something like this on the device:
configure manager add DONTRESOLVE my_key ftd_remote1
Then add it to the FMC using the temp ip and the nat-id. Build everything out like it should be and deploy it to the box. Once the FTD has the correct configuration, disconnect it from the LAN, login locally to the device and update the management interface ip and default gateway as required. Once the device gets onsite, go into the FMC, change the host ip address on the Devices tab. If the vpn comes up and there is connectivity the device should check in.
I'd give it a try in a lab if possible but I think that should work.
08-07-2020 11:45 AM
Your latter method was what they taught us in Cisco field engineer training as a valid method. They recommend to unmanage it once disconnected from the staging site and change the management IP (in FMC) to the new one.
Once you've deployed and done the "configure network" to change the management address and gateway on the remote end it should, as you noted, "check in". Once that is verified I'd deploy once more to make sure everything syncs from FMC.
08-07-2020 01:22 PM
Yes, forgot to mention disabling the management of the box under devices until it is ready to check in again. I've used it in the past to do a couple of sites and had good success with it.
08-06-2020 11:21 AM
When you build a VPN tunnel in an FMC-managed FTD device and the remote end isn't managed by FMC it's known as an "Extranet" device. You just enter its IP address in the VPN definition and the parameters for the FTD end to match what's setup in that remote device.
08-07-2020 02:06 PM
I have been anle to create a vpn between an ASA and the FPR1010 using the local management of the 1010 and the 5516x.
I'd like to keep that part as is and manage the access control url and malware policies in FMC the was the asa 5500x devices do it.
08-07-2020 03:17 PM
Ah. I don't think that's possible. As far as i know FTD is either FMC managed or the on-box. Going from 1 to the other wipes the configuration and you start from scratch. That might have changed but that's what it was the last I heard.
08-08-2020 05:00 AM
Correct - switching an FDM- (or CDO-) managed FTD device to being FMC-managed will wipe out any existing configuration other than the basic management interface setup that's done out of the box.
08-12-2020 09:33 AM
his blew up in my face.
the device lost it's mind. I tired to fall back to local management, but the config was gone.
I tried a factory reset after that and now I can't get any interfaces to work except the management interface on the FPR1010
and because I don't even know how to understand any of the new language I can't figure out how to get it to work at all. I was able to program the management interface, but when I try to login it says "application cannot be opened" try again or reimage with the latest release.
and I can't find documentation on that.
this is not a straight ASA 5506x replacement (which is what I was told by Cisco sales of course)
I'm slightly disheartened. and by slightly I mean completely.
thanks cisco!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide