Manage the FDM-Managed Device's Outside Interface

This configuration method:

  1. Assumes that the FDM-managed device has not been on-boarded to CDO.

  2. Configures a data interface as the outside interface.

  3. Configures management access on the outside interface.

  4. Allows the public IP address of the cloud connector (after it has been NAT'd through the firewall) to reach the outside interface.

Before you begin

Review the prerequisites for this configuration in these topics:

Procedure

Step 1

Log in to the Secure Firewall device manager.

Step 2

In the System Settings menu, click Management Access.

Step 3

Click the Data Interfaces tab and click Create Data Interface.

  1. In the Interface field, select the pre-named "outside" interface from the list of interfaces.

  2. In the Protocols field, select HTTPS if it is not already. CDO only needs HTTPS access.

  3. In the Allowed Networks field, create a host network object containing the public-facing IP address of the cloud connector after it gets NAT'd through the firewall.

    In the Device Management from Outside Interface network diagram, the cloud connector's IP address, 10.10.10.55, would be NAT'd to 203.0.113.2. For the Allowed Network, you would create a host network object with the value 203.0.113.2.

Step 4

Create an Access Control policy in Secure Firewall device manager that allows management traffic (HTTPS) from the public IP address of the SDC or cloud connector, to the outside interface of your FDM-managed device. In this scenario, the source address would be 203.0.113.2 and the source protocol would be HTTPS; the destination address would be 209.165.202.129 and the protocol would be HTTPS.

Step 5

Deploy the change. You can now manage the device using the outside interface.

What to do next

What if you are using a cloud connector?

The process is very similar, except for two things:

  • In step 3c of the procedure above, your "Allowed Network" is a network group object containing the the public IP addresses of the cloud connector.

    • If you are a customer in Europe, the Middle East, or Africa (EMEA), and you connect to CDO at https://defenseorchestrator.eu/, these are the public IP addresses of the cloud connector:

      • 35.157.12.126

      • 35.157.12.15

    • If you are a customer in the United States, and you connect to CDO at https://defenseorchestrator.com/, these are the public IP addresses of the cloud connector:

      • 52.34.234.2

      • 52.36.70.147

    • If you are a customer in the Asia-Pacific-Japan-China (AJPC) region, and you connect to CDO at https://www.apj.cdo.cisco.com/, allow inbound access from the following IP addresses:

      • 54.199.195.111

      • 52.199.243.0

  • In step 4 of the procedure above, you create an Access Control rule that allows access to the outside interface from the public IP addresses of the cloud connector.

The registration token onboarding approach is the recommended way of onboarding the FDM-managed device to CDO. After you configure the outside interface to allow management access from the cloud connector, onboard the FDM-managed device. You will connect using the IP address of the outside interface. In our scenario, that address is 209.165.202.129.