First off, this post is a response and an update to my previous post on the subject, found here: Add Remote Firepower Firewall to Firepower Management Center. This process that we are talking about is about adding a remote Firepower firewall to a Firepower Management Center at a different location. This used to be able to be completed by NAT’ing the management interface to the public IP used by the FTD firewall’s outside interface. This is not possible with the new code and new firewalls like the Firepower 1010. The response from Cisco was that this changed because it is considered risky to send management interface traffic through the Data Plane. So here I was sitting with a new FPR-1010 in hand needing to connect it to a FMC appliance at another site. Here’s what the new process looks like that I used:
Firepower Management Center and the use of NAT-ID’s
Take a look here for the guide about setting up a FTP firewall and connecting it to FMC. There is a key section in that page that revolves around NAT environments and the use of a NAT-ID:
Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the FMC specifies the device IP address when you add a device (see Add Devices to the Firepower Management Center), and the device specifies the FMC IP address (see the getting started guide for your model; or see Management Interfaces to change settings after initial setup). However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The FMC and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration.
This is the key to this new connection process. With my old process in my old post, the FMC was connecting to the outside interface’s IP of the new FTD firewall, since we would NAT the management port IP to this public IP. Now though, we will use a unique NAT-ID instead.
First things first, we need to have our Firepower Management Center available publicly on port TCP/8305. You can definitely secure this and limit access to this for certain public IP addresses only (which I highly recommend). I have this done using NAT and a free public IP from my pool.
Next comes the connection process itself. On the firewall itself, you just need to connect the firewall to a hardwired remote network….. anywhere… as long as it has web access. This allows you to do the initial provisioning. From a console connection, you need to run the manager configuration command like you usually would:
configure manager add < Public IP that FMC is reachable by > <registration key> <Unique NAT-ID>
- The registration key is a unique key that you need to enter on both the firewall and FMC. This can be anything at all that you make up but must match on both sides.
- The NAT-ID must be unique and cannot be used by another firewall with your FMC.
Once this is complete, you can add the firewall within your FMC itself. This is done in a similar way as any other firewall with a few changes. First, you must make sure the registration key and NAT-ID match in FMC the same as what you used with the previous command. Then you can assign a name and an access policy to use. One thing to note as seen in the image below – you are NOT specifying an IP address this time. The firewall is calling out to the FMC once you enter the configure manager command above. The FMC is identifying which firewall is calling home to it and what policies to send based on the NAT-ID you specified before versus the management \ host IP address like in the past. That is the major difference in this new process when the FTD firewall is in a NAT environment.
Once this was done and I clicked register, the device was added to FMC just like usual. We then created policies, applied updates, etc with no issues. This new process has been reliable and stable just like the old NAT process in my old post. Keep this new process in mind and let me know if you have any issues!