Normally connecting a firewall to a Firepower Management Center server is a short, simple process. This is because a lot of use cases have the FMC and the FTD firewall on the same network. No NAT involved. So what happens when the firewall is out on the web and there is a NAT device in the middle? Well I ran into this recently and never used this method, so here is what I ended up doing.
I used the Cisco guide here: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html#anc2 There is one part to pay special attention to:
However, if the device and the FireSIGHT Management Center are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:
configure manager add DONTRESOLVE my_reg_key my_nat_id
This is the part that I was missing all along. I was specifying the FMC by IP address like normal. I went ahead and changed the command I was entering on the FTD firewall to:
configure manager add DONTRESOLVE 123456
Then I made sure to use 123456 as the NAT-ID when I was adding the firewall in the FMC. This way, when you are connecting to a FMC server through a NAT device, the FMC is reaching out to the FTD firewall. The NAT-ID matches the FMC and FTD to each other and to allow the connection.
Not sure where the NAT-ID goes in FMC? You’re going to want to expand the advanced section of the “Add Device” screen. Once that’s done, go ahead and continue adding the device as your normally would.