I'm having some difficulty with testing the Edge Routed FW case. I was able to deploy everything, but how would I assign multiple external IP addresses on the outside interface to perform SNAT?I'm assuming my outside interface would tie directly to the internet gateway (instead of a public subnet), and I don't have the source interface option in the NAT objects.Great video!
Hello Josh, If you want to assign additional IP address on outside/external interface perform following steps: 1. Goto EC2 instances 2. Network Interfaces 3. Select Outside interface and right click 4. Click Manage IP 5. Assign New IP Once you have new IP assign you can add NAT on NGFWv/ASAv so that virtual appliance can forward traffic to internal servers. I will make a video on this shortly and upload it on youtube. Will share link so that you can use that as a reference point. -- Thanks Anubhav Swami
Looks like NAT isn't an option on the NGFWv that's on AWS right now.... it wouldn't let me select any devices to apply a NAT policy. Back to the drawing board from the looks of it. I was able to put in a second IP and Elastic IP, but I'm thinking I have to build it with a 1000v for NAT and transit VPC in order to connect to hosts inbound?
Chess what are you trying to upgrade? Version of FTD or changing instance size. If it is version it can be upgraded using fmc as long as there is not requirement for bigger instance
@@AnubhavSwami Thanks you. This is just an upgrade to a new FTD version (from 6.3 to 6.4). I found out from Cisco yesterday that I could use a standard upgrade image for this. I thought that I needed a special AWS image, but I am happy that we can proceed with a normal upgrade through FMC.
Hello Anubhav, I have followed this through but having issues with the FTD-OUT and FTD-IN interfaces. How do these get assigned from AWS? I have configured and attached them exactly like you have (under network interfaces in AWS and attached them) but they dont appear under the device after adding FTD to FMC. Do you need to configure them as static in FTD as well as AWS? If I do this I can ping the FTD on both sides, but traffic flow is not working (traffic does not appear on the interfaces)
I found the issue, AWS EC2 instances use some internal routing methods. Packets were still going to the AWS router even after updating the routing table to send to FTD. The solution was to empty the file /etc/sysconfig/network-scripts/route-eth1 and restart networking "service network restart"
Nice and informative video. Is it possible to change Management Interface from eth0 to IP address of the additional ENI (say eth2) when we ssh into FTDv for the first time. When we tried changing it, we had difficulty to ssh into FTDv next time. Actually we are trying to place FTDv behind a Load Balancer but health check (TCP ping) is failing as it is trying to use eth0 which by default is a management interface so not working. Any advice?
Hey. Great Video. Very useful since I'm setting up a similar environment as well. Question though - when you point to the downloaded .pem file, how do you know where it's located? Is it a standard location?
Hello Goran, Great video!!! However I was running into issues when configuring the elastic IP to the mgmt interface (kept telling me that there were too many interfaces associated with the mgmt interface). I worked around the issue by manually associating with the network interface, and private IP with the elastic IP. Also good find on the disabling of source/dest check. When this wasn't disabled I was able to SSH, but not HTTPS to FMCv. The current documentation on Cisco's site is not very informative, and I will update it accordingly. Thanks again, Garrett McCollum CCIE# 54886 - Security
I'm having some difficulty with testing the Edge Routed FW case. I was able to deploy everything, but how would I assign multiple external IP addresses on the outside interface to perform SNAT?I'm assuming my outside interface would tie directly to the internet gateway (instead of a public subnet), and I don't have the source interface option in the NAT objects.Great video!
Hello Josh,
If you want to assign additional IP address on outside/external interface perform following steps:
1. Goto EC2 instances
2. Network Interfaces
3. Select Outside interface and right click
4. Click Manage IP
5. Assign New IP
Once you have new IP assign you can add NAT on NGFWv/ASAv so that virtual appliance can forward traffic to internal servers. I will make a video on this shortly and upload it on youtube. Will share link so that you can use that as a reference point.
--
Thanks
Anubhav Swami
Looks like NAT isn't an option on the NGFWv that's on AWS right now.... it wouldn't let me select any devices to apply a NAT policy. Back to the drawing board from the looks of it. I was able to put in a second IP and Elastic IP, but I'm thinking I have to build it with a 1000v for NAT and transit VPC in order to connect to hosts inbound?
You have an option for adding NAT on NGFWv. Let me know what difficulty are you facing, I can help.
Hi, Is there an option to Upgrade the FTDv for AWS or do I need to deploy a new version over the old one?
Chess what are you trying to upgrade? Version of FTD or changing instance size. If it is version it can be upgraded using fmc as long as there is not requirement for bigger instance
@@AnubhavSwami Thanks you. This is just an upgrade to a new FTD version (from 6.3 to 6.4). I found out from Cisco yesterday that I could use a standard upgrade image for this. I thought that I needed a special AWS image, but I am happy that we can proceed with a normal upgrade through FMC.
Hello Anubhav, I have followed this through but having issues with the FTD-OUT and FTD-IN interfaces. How do these get assigned from AWS? I have configured and attached them exactly like you have (under network interfaces in AWS and attached them) but they dont appear under the device after adding FTD to FMC. Do you need to configure them as static in FTD as well as AWS? If I do this I can ping the FTD on both sides, but traffic flow is not working (traffic does not appear on the interfaces)
I found the issue, AWS EC2 instances use some internal routing methods. Packets were still going to the AWS router even after updating the routing table to send to FTD. The solution was to empty the file /etc/sysconfig/network-scripts/route-eth1 and restart networking "service network restart"
I am glad it worked, you also need to ensure source and destination check is disabled.
Hello Guys, does anybody know how to configure high availability with two FTD in AWS?
Nice and informative video. Is it possible to change Management Interface from eth0 to IP address of the additional ENI (say eth2) when we ssh into FTDv for the first time. When we tried changing it, we had difficulty to ssh into FTDv next time. Actually we are trying to place FTDv behind a Load Balancer but health check (TCP ping) is failing as it is trying to use eth0 which by default is a management interface so not working. Any advice?
Hey. Great Video. Very useful since I'm setting up a similar environment as well. Question though - when you point to the downloaded .pem file, how do you know where it's located? Is it a standard location?
Hi, I couldn't find part 2 and 3 on this video series. Please provide link if you have part 2, 3, xx on this deployment. Thanks
Hello Khan Sahib, please check following links:
Part2: th-cam.com/video/CzT_edLt4g8/w-d-xo.html
Part3: th-cam.com/video/RPfQ3OLywak/w-d-xo.html
Whats the bandwidth capacity for the BYOL NGFWv in AWS when we enable AVC, IPS & AMP license
Does Cisco NGFW supports High Availability (by maintaining state table) in AWS
No not yet.
Hello Goran,
Great video!!! However I was running into issues when configuring the elastic IP to the mgmt interface (kept telling me that there were too many interfaces associated with the mgmt interface). I worked around the issue by manually associating with the network interface, and private IP with the elastic IP.
Also good find on the disabling of source/dest check. When this wasn't disabled I was able to SSH, but not HTTPS to FMCv. The current documentation on Cisco's site is not very informative, and I will update it accordingly.
Thanks again,
Garrett McCollum
CCIE# 54886 - Security
Please assign elastic IP using interface-id, that way you will not get above error message.