Below is a graphical Diagram on how the setup looks like.
To configure the FTD/FTDv to allow management from Internet/Outside interface below are the step by step guide.
Configuring Cisco FTD using FDM (Firepower Device Manager) for management from the internet involves a few steps. Here’s a general guide:
- Connect to the FTD using FDM. This can be done by opening a web browser and entering the IP address of the FTD in the address bar. You should be prompted to enter your FDM username and password. You should have a client in the inside network that have access to the Management IP Address. Check out my previous tutorial on the basic setup on FDM. (In this tutorial we are using the Win 10 Client with the ip address 172.16.2.200)
https://dracocybersecurity.com/basic-configuration-of-ftdv-7-3-telnet-and-fdm-in-kvm/
- Configure NAT/PAT on your edge firewall. You’ll need to configure NAT or PAT on your edge firewall to translate the FTD’s internal IP address to a public IP address. This will allow you to access the FTD from the internet.
Go to Policies and Click on NAT and then the + sign to add.
- Title: <Give it a meaning full name>
- Create Rule For: Manual NAT
- Placement: Before Auto NAT Rules
- Type: Static
ORIGINAL PACKET
- Source Interface: outside
- Destination Address: Interface
- Destination Port: <Create a custom new Port Object> 8443 for this example
TRANSLATED PACKET
- Destination Interface: outside
- Destination Address: <Custom Network> InsideMgmtIP for this example
- Destination Port: HTTPS
Here is how the final NAT Rule looks like.
- Next we will need to create a Access rule to allow traffic from the outside to the Management IP Address on the inside zone. You’ll need to configure your firewall to allow traffic to the FTD on the ports you’ve configured for remote access (HTTPS, SSH, and/or Telnet).
SOURCE
- Title: <Create a meaningful name>
- Zones: outside_zone
- Network: Any
- Ports: Any
DESTINATION
- Zones: inside_zone
- Networks: <InsideMgmtIP>
- Ports: HTTPS
Once you have finish the configuration do not forget to Deploy Now
- Test remote access to the FTD. Once you’ve completed the above steps, you should be able to access the FTD from the internet by entering its public IP address in a web browser. You should be prompted to enter your FDM username and password.
It’s important to note that configuring remote access to an FTD can introduce security risks, so it’s important to follow best practices for securing your FTD and your edge firewall. You can configure a list of allow ip address but be mindful not to lock yourself out by leaving out necessary ip addresses.