Connect Firewall to FMC Through NAT Device

Normally connecting a firewall to a Firepower Management Center server is a short, simple process. This is because a lot of use cases have the FMC and the FTD firewall on the same network. No NAT involved. So what happens when the firewall is out on the web and there is a NAT device in the middle? Well I ran into this recently and never used this method, so here is what I ended up doing.

FTD-ID

I used the Cisco guide here: https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118596-configure-firesight-00.html#anc2 There is one part to pay special attention to:

However, if the device and the FireSIGHT Management Center are separated by a NAT device, enter a unique NAT ID along with the registration key, and specify DONTRESOLVE instead of the hostname, for example:

configure manager add DONTRESOLVE my_reg_key my_nat_id

This is the part that I was missing all along. I was specifying the FMC by IP address like normal. I went ahead and changed the command I was entering on the FTD firewall to:

 

configure manager add DONTRESOLVE 123456

Then I made sure to use 123456 as the NAT-ID when I was adding the firewall in the FMC. This way, when you are connecting to a FMC server through a NAT device, the FMC is reaching out to the FTD firewall. The NAT-ID matches the FMC and FTD to each other and to allow the connection.

Not sure where the NAT-ID goes in FMC? You’re going to want to expand the advanced section of the “Add Device” screen. Once that’s done, go ahead and continue adding the device as your normally would.

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail
Kevin Blackburn

Kevin Blackburn

Cisco CCNP, Senior Network Engineer in the Healthcare Industry. Currently working on my CCIE R&S which is the focus of most of my latest blog posts. #NFD15 Delegate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.