topic Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router in Network Security

Firepower 2110 - Secondary Outside interface port for 1 ISP router

eeebbunee — Wed, 15 Sep 2021 17:08:01 GMT

Hello,

Public IP block from ISP gave is all occupied, so I requested extended IP block to ISP.

so I got new IP block with new port (same router), but I am not sure how can I make this new IP block to apply my firepower.

Here is the image what I am considering:

The blue line is about to newly add.

ISP provider gave me a notification that they are configured new IP block on 0/2 port. So I don't know If I can use same firepower. Is this possible without loop?

What else should I configure on my firepower to make it?

Thank you.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

Rob Ingram — Wed, 15 Sep 2021 17:26:57 GMT

@eeebbunee you should get your ISP to route the new subnet to the outside IP address of your existing interface. You then just need to create NAT rules using an IP address from the new subnet.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

MichaelMcCoy — Wed, 15 Sep 2021 18:33:49 GMT

Is your goal to load balance or to set up a secondary route (in case of failure)?

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

eeebbunee — Wed, 15 Sep 2021 18:41:28 GMT

Thanks for the reply.

You mean the existing interface (Router 0/1 port) needs to have both IP blocks?

New IP block has totally different IP address, so that's why ISP setup the other port.

Please correct me which part am I misunderstand.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

eeebbunee — Wed, 15 Sep 2021 18:44:17 GMT

This is for secondary route, to using 1:1 NAT rule. Currently public IP addresses ran out.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

Rob Ingram — Wed, 15 Sep 2021 18:47:32 GMT

@eeebbunee no I am saying on the router the ISP would create a static route for the new network with a next hop of the firewalls current outside interface IP address. You don't need to apply the new network on a physical interface. You then create static NAT rules on the firewall.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

MichaelMcCoy — Wed, 15 Sep 2021 18:53:43 GMT

Full disclosure, I am studying for my CCNA and trying to utilize these boards and questions to grow myself as a tech, so I just wanted to say that before I offer a suggestion.

If I am not mistaken you should be able to issue the commands on your router that will allow for a backup default route:

ip route 0.0.0.0 0.0.0.0 gi0/1
ip route 0.0.0.0 0.0.0.0 gi0/2 5

Issuing the "5" at the end created a floating static route that will only be placed in the routing table and used in case the primary route "gi0/1" is removed from the routing table.

Sorry if I misunderstood your issue.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

eeebbunee — Wed, 15 Sep 2021 19:15:39 GMT

I appreciate that your considerable reply and the suggested solution.

I should've told you in detail, I was meant to one more active routing interface not for fail-over, in this case I am trying to make both interfaces as 'active' state.

But, your reply was also helpful to me cause I didn't know that.

Thank you very much,

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

eeebbunee — Wed, 15 Sep 2021 19:41:43 GMT

Okay, so If I'm correctly understand, ISP router is configured by ISP provider by adding static route.

For example) 12.678.9.1 x.x.x.x(subnet) via 12.345.6.1(my existing firewall outside)

Therefore, I don't need to make physical connection between ISP router and my firewall, am I correct?

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

Rob Ingram — Wed, 15 Sep 2021 19:48:40 GMT

@eeebbunee correct. You then need to create static NAT rules with those new IP addresses.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

eeebbunee — Thu, 16 Sep 2021 15:39:31 GMT

I was thinking about one more physical connection between firewall and ISP because ISP provider told me to do it (use another ports), but I will request them to change routing configuration followed your advise.

I really appreciate it..!!

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

ashwanik2008 — Fri, 17 Sep 2021 14:11:22 GMT

Rob, My ISP is providing me two ranges ( totally different) and have added a static route on the Internet Router for the new range pointing to the FW outside interface having IP from the existing range.

New range could be used to create NAT rules for traffic coming from the inside interface on the FW, correct.

Will I be able to create NAT rules for AnyconnectVPN users ( connecting via the existing interface IP) using the new range ?

Thanks very much in advance.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

Rob Ingram — Fri, 17 Sep 2021 14:21:24 GMT

@ashwanik2008 Not sure I totally understand your question.

Do you want to NAT traffic from a VPN user using one of those new IP addresses, yes that would probably work - not tried it myself but something like this:-

nat (outside,inside) source static RAVPN RAVPN-NATTED destination static LAN LAN

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

ashwanik2008 — Fri, 17 Sep 2021 14:27:56 GMT

Thanks for quick reply, Rob.

I meant the internet bound traffic from AnyConnect VPN users, ( OUTSIDE, OUTSIDE) hair-pinned on the OUTSIDE interface.

OUTSIDE interface has an IP from the existing range but requirement is to use new range for NAT statements for these remote users.

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

Rob Ingram — Fri, 17 Sep 2021 14:34:29 GMT

@ashwanik2008

Try this:-

object network RAVPN
 subnet <vpn ip pool network> <subnet mask>
 nat (outside,outside) dynamic <ip address from new range>

Re: Firepower 2110 - Secondary Outside interface port for 1 ISP router

ashwanik2008 — Fri, 17 Sep 2021 14:57:50 GMT

Yes, that`s what I`m gonna try. Thanks Rob