Exam 300-710 topic 1 question 242 discussion

Assuming that the devices are communicating over the Internet, the following two steps are required for the device to register to the Cisco FMC: A. Reconfigure the Cisco FMC to use the device’s private IP address instead of the WAN address. This will allow the Cisco FMC to reach the device even though its IP address is being translated by the router. B. Configure a NAT ID on both the Cisco FMC and the device. This is necessary to allow the Cisco FMC to identify the device behind the NAT device and to establish a secure connection.

PAT lets you use a single public IP address and unique ports to access the public network; these ports are dynamically assigned as needed, so you cannot initiate a connection to a device behind a PAT router. Normally, you need both IP addresses (along with a registration key) for both routing purposes and for authentication: the FMC specifies the device IP address when you add a device, and the device specifies the FMC IP address. However, if you only know one of the IP addresses, which is the minimum requirement for routing purposes, then you must also specify a unique NAT ID on both sides of the connection to establish trust for the initial communication and to look up the correct registration key. The FMC and device use the registration key and NAT ID (instead of IP addresses) to authenticate and authorize for initial registration. https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/device_management_basics.html

For instance, when you add a device to the Cisco FMC, and you do not know the device IP address (or the device is behind a NAT/PAT device), you specify only the NAT ID and the registration key on the FMC and leave the IP address blank

The best answer is B and C. The Demon Queen provides the following from the official cert guide. When you add a managed device to the Cisco FMC, you must provide an IP addresses of the managed device along with a registration key for authentication. The Cisco FMC and the managed device use the registration key and a NAT ID (instead of IP addresses in the case that the device is behind NAT) to authenticate and authorize for initial registration. For instance, when you add a device to the Cisco FMC, and you do not know the device IP address (or the device is behind a NAT/PAT device), you specify only the NAT ID and the registration key on the FMC and leave the IP address blank

Wouldn't it be answers (A) and (B)... Please refer to: https://community.cisco.com/t5/network-security/connect-ftd-to-fmc-with-nat-at-both-sides/td-p/3726411

It's B & D. 100% guarantee. "For example, you add a device to the FMC, and you do not know the device IP address (for example, the device is behind a PAT router), so you specify only the NAT ID and the registration key on the FMC; leave the IP address blank. On the device, you specify the FMC IP address, the same NAT ID, and the same registration key. The device registers to the FMC's IP address. At this point, the FMC uses the NAT ID instead of IP address to authenticate the device." https://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Device_Management_Basics.html

B&D is correct Version 7.3 https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/get-started-device-management.html In the NAT Environment Topic It says, " Although the use of a NAT ID is most common for NAT environments, you might choose to use the NAT ID to simplify adding many devices to the management center. On the management center, specify a unique NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify both the management center IP address and the NAT ID. Note: The NAT ID must be unique per device."

configure manager add {hostname | IPv4_address | IPv6_address | DONTRESOLVE } regkey [nat_id] [display_name] {hostname | IPv4_address | IPv6_address}—Sets the management center hostname, IPv4 address, or IPv6 address. DONTRESOLVE —If the management center is not directly addressable, use DONTRESOLVE instead of a hostname or IP address. If you use DONTRESOLVE , then a nat_id is required. When you add this device to the management center, make sure that you specify both the device IP address and the nat_id ; one side of the connection needs to specify an IP address, and both sides need to specify the same, unique NAT ID. Example: > configure manager add DONTRESOLVE abc123 efg456 Manager successfully configured. Please make note of reg_key as this will be required while adding Device in FMC. >

If you are registering device that is behind NAT, on FMC you must: specify a unique NAT ID for each device you want to add while leaving the IP address blank, and then on each device, specify both the management center IP address and the NAT ID. Note: The NAT ID must be unique per device. On FTD you: configure manager add [manager IP] regk3y78 natid56 In the case when FTD is with public address and FMC is behind NAT: specify a unique NAT ID per device on both the management center and the devices, and specify the device IP addresses on the management center. on FTD: onfigure manager add DONTRESOLVE regk3y78 natid90 If the threat defense is behind a NAT device, enter a unique NAT ID along with the management center IP address or hostname, for example: > configure manager add 10.70.45.5 regk3y78 natid56