Skip to main content

 

 

Cisco Defense Orchestrator

Managing a Firepower Threat Defense Device from the Outside Interface while using an On-Premise SDC

About Managing a Firepower Threat Defense Device from the Outside Interface

Managing a Firepower Threat Defense (FTD) device from the outside interface may be desirable if you have one public IP address assigned to a branch office and CDO is managed using an on-premise Secure Device Connector (SDC) at another location. 

ftd_mgmt_outside.jpg

 

This configuration doesn't mean that the physical MGMT interface is no longer the device's management interface. If you were in the office where the FTD was located, you would be able to connect to the address of the MGMT interface and manage the FTD directly. 

Remote Access VPN Requirement

If the FTD you manage with CDO will be managing Remote Access VPN (RA VPN) connections, CDO will not be able to manage the FTD device using the outside interface.  See Managing a Firepower Threat Defense Device from the Inside Interface instead.

Manage the Firepower Threat Defense Outside Interface

This configuration method:  

  1. Assumes that the FTD has not been on-boarded to CDO.
  2. Configures a data interface as the outside interface.
  3. Configures management access on the outside interface.
  4. Allows the public IP address of the SDC (after it has been NAT'd through the firewall) to reach the outside interface.

Procedure

  1. Log in to the FDM.
  2. In the System Settings menu, click Management Access.
  3. Click the Data Interfaces tab and click Create Data Interface.
    1. In the Interface field, select the pre-named "outside" interface from the list of interfaces.
    2. In the Protocols field, select HTTPS if it is not already.  CDO only needs HTTPS access. 
    3. In the Allowed Networks field, create a host network object containing the public-facing IP address of the SDC after it gets NAT'd through the firewall.

In the diagram above, the SDC's IP address, 10.10.10.55, would be NAT'd to 203.0.113.2. For the Allowed Network, you would create a host network object with the value 203.0.113.2. 

  1. Create an Access Control on the FDM that allows management traffic (HTTPS) from the public IP address of the SDC, to the outside interface of your FTD. In this scenario, the source address would be 203.0.113.2 and the source protocol would be HTTPS; the destination address would be 209.165.202.129 and the protocol would be HTTPS.
  2. Deploy the change. You can now manage the device using the outside interface.

What if you are using a cloud SDC?

The process is very similar, except for two things:

  • In step 3c of the procedure above, your "Allowed Network" is a network group object containing the the public IP addresses of the cloud SDC.
    • If you are a customer in Europe, the Middle East, or Africa (EMEA), and you connect to Defense Orchestrator at https://defenseorchestrator.eu, these are the public IP addresses of the cloud SDC:
      • 35.157.12.126
      • 35.157.12.15
    • If you are a customer in the United States, and you connect to Defense Orchestrator at https://defenseorchestrator.com, these are the public IP addresses of the cloud SDC:
      • 52.34.234.2
      • 52.36.70.147
  • In step 4 of the procedure above, you create an Access Control rule that allows access to the outside interface from the public IP addresses of the cloud SDC.

What to do Next

After you configure the outside interface to allow management access from the SDC, onboard the FTD device to CDO. You will connect using the IP address of the outside interface. In our scenario above, that address is 209.165.202.129.