Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
866
Views
0
Helpful
5
Replies

access FDM via S2S Tunnel

Lee Dress
Level 1
Level 1

‎04-30-2020 06:25 AM - edited ‎04-30-2020 06:26 AM

I have a new FPR 1010 

I have a site 2 site tunnel to my main office. 

I can access all devices in both locations from either side.  I can ping everything but the firewall in the remote location 

therefore, I can't manage it through the tunnel. 

 

the management access rules are set to https - any-ipv4 . 

I've added https - inside, and https - remotelan (for the network I need to manage from) 

the management access data interfaces are set to inside https - any ipv4 and outside - any ipv4 

 

I can ping and manage the FPR from it's inside network, and it's outside network. 

I need to be able to manage it (and hopefully ping it) through the VPN tunnel. 

any ideas? 

 

on the old ASA devices all you had to type was "management-access-inside" and the devices were manageable through the tunnel. 

 

Labels:
0 Helpful
5 Replies 5

Mohammed al Baqari
Level 11
Level 11

‎04-30-2020 09:02 AM

You should be able to manage. You need to describe your topology and mgmt
interface is reachable. Is it through FTD or out of band.
0 Helpful

Lee Dress
Level 1
Level 1
In response to Mohammed al Baqari

‎04-30-2020 09:15 AM

S2S tunnel 

Main Site 192.168.3.0/24 (ASA 5516x) --> Remote site 192.168.13.0/24 (FPR1010) 

The tunnel is established. I have NAT going both ways. 

Access control policies say any main site  --> any remote site and Vice versa

the remote site can see everything in the main site

the main site can see everything in the remote site (192.168.13.2-254) Except 192.168.13.1 (the FPR)

Management access says HTTPS any-ipv4

Data Interfaces are inside HTTPS any-ipv4 and outside HTTPS any-ipv4

I can manage the device from the 13 network 

I can manage the device from the outside network. 

I CANNOT manage the device from the main site (192.168.3.0 network)

 

this used to happen on the asa 5506x that I am replacing, but when you sent the command "management-access inside" it cleared up. there is no such command I can see on this device. 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Lee Dress

‎04-30-2020 11:04 AM

You can't manage the inside interface of ftd from outside network. Enable
management on outside and limit it to the main office lan ip. Then try to
connect to outside ip of ftd

**** please remember to rate useful posts

0 Helpful

Lee Dress
Level 1
Level 1
In response to Mohammed al Baqari

‎04-30-2020 11:11 AM

I need to access it through the tunnel.

many of these devices will end up in a home user where it is dhcp connected to their ISP. 

I can't access the outside interface in these cases. 

 

the 5506x does it without issue. 

I'm sure there has to be a setting to allow me to manage it through the vpn tunnel. 

0 Helpful

Lee Dress
Level 1
Level 1
In response to Lee Dress

‎04-30-2020 11:52 AM

I figured out what to do. 

I switch the management port from static 192.168.45.45 to 192.168.13.2 and plugged it into one of the other ports on the firewall. 

 

I can now manage the device through the tunnel. 

 

the old asa 5506x would allow you to manage it via the gateway address. 

either way, I found a work around

0 Helpful
Customers Also Viewed These Support Documents