Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
1
Helpful
7
Replies

Staging FTD's for remote offices using datainterface for management

Chess Norris
Level 4
Level 4

‎11-20-2023 02:10 AM - edited ‎11-20-2023 02:20 AM

Hello,

I have a customer with remote offices spread around the world. We have a project where we going to exchange the ASA's with Firepower 1010's running FTD software and are managed by FMC. The peoples working in those remote offices are not technical at all so the goal is that they only need to power up the new firewall and use the cables from the old ASA and plug them into the new 1010 firewalls.

The customer already have the FMC and I have already migrate the config from ASA to FTD and are ready to start shipping out those 1010's. The FMC is managed over the data interface using a public internet address.

Now here's the question. Before shipping out this firewalls, I need to change the outside IP address and the static route. 

This means that I'll lose my management connection after deploying the changes. Is this the recommended approach or should I instead use the LinaConfigTool, make the changes and then configure the new outside IP address and the static route in FMC as soon as the device are up at the remote office?

If I make the changes in FMC and loose the connection, will the deploy timeout after a while or will it keep trying to deploy untill the connection get restored?

Does anyone have experience with this kind of scenario?

Thanks

/Chess

 

0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎11-20-2023 02:22 AM

I mention before in your previous post

You need NAT-ID for ftd to connect to fmc

This way if you change outside public ip it not matter the fmc check  NAT-ID and mgmt the ftd.

MHM

0 Helpful

Chess Norris
Level 4
Level 4
In response to MHM Cisco World

‎11-20-2023 04:28 AM - edited ‎11-20-2023 04:33 AM

Hi,

I already manage the FTD's via the data interface using NAT-ID and there's no issues there.

The question was more what's the recommended way to change the outside address before shipping out the new firewalls, via FMC or LinaConfigTool? I can add that when preparing the firewalls, I am using a DHCP address from my ISP, but I need to change this to a static IP before shipping.

I just tried making the changes in FMC and deployed. As expected the communication was lost at the end of the deployment process, but both the static route and interface address change were properly applied to the FTD.

It than took about an hour before the deployment process timed out, but I can live with that.

/Chess

0 Helpful

MHM Cisco World
VIP
VIP
In response to Chess Norris

‎11-20-2023 05:57 AM

Can you share 

Show manager 

From ftd when change IP to static 

0 Helpful

Chess Norris
Level 4
Level 4
In response to MHM Cisco World

‎11-20-2023 11:33 PM

Here is the  output from "show managers"  It looks the same as before changing to static IP address, but I guess that's expected since it's only on the FMC side I specify the IP address of the FTD and not the other way around.

> show managers
Type : Manager
Host : 790cbbb8-8388-11ee-9145-0f81700b4803DONTRESOLVE
Display name : manager-1700033257.78123
Identifier : 941b7a16-c740-11ed-9352-c2dc96c75315
Registration : Completed
Management type : Configuration and analytics

 

/Chess

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chess Norris

‎11-21-2023 12:51 AM

You should be able to use the cli command “configure network management data interface” to manage firewall on outside interface. Then temporarily unmanage from FTD, change to the new IP address (static or DHCP-assigned) once the device is deployed at the final location and re-manage (via moving the slider under the device details).

Chess Norris
Level 4
Level 4
In response to Marvin Rhoads

‎11-21-2023 06:39 AM - edited ‎11-21-2023 06:46 AM

Thanks.

Just to clarify. The device is already managed on outside interface. The only difference is that I use a DHCP address from my ISP when preparing the configuration.

Before shipping the device off, I need to change the IP to a static address (the same address their current ASA have). Therefore I belive the following steps should be enough, but please correct me if I'm wrong.

- In FMC, change the IP address on the outside interface from DHCP to the current static ASA IP address 

- Add a default route on outside interface and point it to the same IP address as the current ASA use (Their ISP router)

- Disable management in FMC (maybe not necessary)

- Deploy the changes (here I will of cause lose connection between FMC and FTD, but the interface and routing config should already been applied on the FTD).

- When the new Firewall is connected at the remote office, I will add the management address in FMC and re-enable management.

As long as management access between the FTD and FMC work when they exchange the ASA, we can fix any other configuration if necessary.

/Chess

0 Helpful

MHM Cisco World
VIP
VIP
In response to Chess Norris

‎11-21-2023 06:47 AM

I participate in other issue'

And my mind lamp is lighting when you mention static route.

I think the ftd when you add new static route have two route and that make traffic drop.

Can you make new static route with higher metric and check.

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card