Skip to main content

 

 

Cisco Defense Orchestrator

Managing FTD from the Inside Interface while using an On-Premise SDC

About Managing FTD from the Inside Interface 

Managing a Firepower Threat Defense (FTD) device using the inside interface may be desirable if the dedicated MGMT interface is assigned an address that is not routable within your organization; for example, it might only be reachable from within your data center or lab.  

ftd_mgmt_inside.jpg

Remote Access VPN Requirement

If the FTD you manage with CDO will be managing Remote Access VPN (RA VPN) connections, CDO must manage the FTD device using the inside interface. 

Manage FTD from the Inside Interface

This configuration method:  

  1. Assumes that the FTD has not been on-boarded to CDO.
  2. Configures a data interface as the inside interface.
  3. Configures the inside interface to receive MGMT traffic (HTTPS).
  4. Allows the address of the SDC to reach the inside interface of the FTD.

Procedure 

  1. Log in to the FDM.
  2. In the System Settings menu, click Management Access.
  3. Click the Data Interfaces tab and click Create Data Interface.
    1. In the Interface field, select the pre-named "inside" interface from the list of interfaces.
    2. In the Protocols field, select HTTPS if it is not already.
    3. In the Allowed Networks field, select the network objects that represent the networks inside your organization that will be allowed to access the inside address of the FTD. The IP address of the SDC should be among the addresses allowed to access the inside address of the FTD.

In the diagram above, the SDC's IP address, 192.168.1.10 should be able to reach 192.168.1.1.

  1. Deploy the change. You can now manage the device using the inside interface.

What if you are using a cloud SDC? 

The process is very similar, except for these things:

  • Add a step to "NAT" the outside interface to (203.0.113.2) to the inside interface (192.168.1.1). 
  • In step 3c of the procedure above, your "Allowed Network" is a network group object containing the the public IP addresses of the cloud SDC.
  • Add a step that creates an Access Control rule allowing access to the outside interface (203.0.113.2) from the public IP addresses of the cloud SDC.

If you are a customer in Europe, the Middle East, or Africa (EMEA), and you connect to Defense Orchestrator at https://defenseorchestrator.eu, these are the public IP addresses of the cloud SDC:

  • 35.157.12.126
  • 35.157.12.15

If you are a customer in the United States, and you connect to Defense Orchestrator at https://defenseorchestrator.com, these public IP addresses of the cloud SDC:

  • 52.34.234.2
  • 52.36.70.147

If you are a customer in the Asia-Pacific-Japan-China (AJPC) region, and you connect to Defense Orchestrator at https://www.apj.cdo.cisco.com/, allow inbound access from the following IP addresses:

  • 54.199.195.111
  • 52.199.243.0
  • Add a step to "NAT" the outside interface to (203.0.113.2) to the inside interface (192.168.1.1). 

 

What to do Next 

The recommended way of onboarding the FTD device to CDO is to use the registration token onboarding approach. After you configure the inside interface to allow management access from the on-premises SDC through which CDO connects to FTD, onboard the FTD device with the user name and password. See Onboard an FTD Device Using Username, Password, and IP Address for more information. You will connect using the IP address of the inside interface. In our scenario above, that address is 192.168.1.1.

  • Was this article helpful?