cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3173
Views
0
Helpful
4
Replies

Unable to access inside interface for MGMT on FTD over site-to-site VPN

Travis-Fleming
Level 1
Level 1

Hello, I do have a Cisco TAC case open, but they've had it for a few weeks now still working with no luck. Maybe someone here can help.

 

I have a new Cisco FTD 1010 running mgmt through FDM. I want to take the 1010 and deploy to a home user with DHCP on the outside interface, and have it create a site-to-site VPN to our corporate HQ. This is not the problem, I have that working great.

 

However I want to be able to monitor that device via SolarWinds SNMP and be able to manage via the inside interface IP.

I've tried a bridged interface, as well as using vlan1 interface and all the ports are a switch port. I've assigned inside IP 10.10.73.1 to the bridge and vlan1 interface on two different 1010 devices. I can manage and do snmp polls with my setup when I"m on the same subnet of the 10.10.73.0/24. However, from over the site-to-site tunnel, I cannot ping, snmp, or web manage to that 10.10.73.1 IP. I can however, do all of that to the outside public IP, but being it's home users, that IP will be forever changing on DHCP.

 

A system support trace will show an ICMP ping to an internal client connected to the device on the 10.10.73.0/24 subnet, but will not show a ping to the 10.10.73.1. We have a static route on our HQ core Nexus to point 10.10.73.0/24 traffic to our HQ Cisco Firewall where the VPN is terminated, so getting traffic to the device I don't think is the problem.

 

I'm thinking this is a Cisco bug, where the inside mgmt interface will not respond to any requests outside the same subnet. What do you guys think?

1 Accepted Solution

Accepted Solutions

Travis-Fleming
Level 1
Level 1

For those curious about the answer, it's an enhancement request by Cisco through my TAC case.

From the TAC case engineer:

 

"I had a discussion with high resources that are already involved on my own ticket and they concluded that this is just not supported over FTD code like it does on the ASA code. Having that said, we are in the process of opening an enhancement request so this can be included in future releases."

View solution in original post

4 Replies 4

Travis-Fleming
Level 1
Level 1

For those curious about the answer, it's an enhancement request by Cisco through my TAC case.

From the TAC case engineer:

 

"I had a discussion with high resources that are already involved on my own ticket and they concluded that this is just not supported over FTD code like it does on the ASA code. Having that said, we are in the process of opening an enhancement request so this can be included in future releases."

hi! I have this issue with 6.6.1 code.. Do you know if its fixed? /E

@erik.dalera 

To manage the FTD over a VPN tunnel you will need to configure the command "management-access inside", you will need to do this using Flexconfig.

thx! now i can ping my inside interface over tunnel.. But SNMP still dosent work to the inside/mgmt interfac over the vpn tunnel. do i need some other flexconfig command?

And i am having trouble enabling Radius over the tunnel, ive configured a radius to our ISE server on prem but i dont get connectivity over the tunnel. Is this supported?

Review Cisco Networking for a $25 gift card