topic Re: Triple WAN 1/2/3 in Network Security

Triple WAN 1/2/3

Sharath Rajan — Tue, 26 Jul 2022 06:11:00 GMT

Dear Experts

Kindly seeking your advises because of that I have running SonicWALL firewall with three ISP WAN connections from Same ISP

and the migration process is going on from SonicWALL to FMC 7.0/1200 FTD

how to configure the 3 WAN in FMC/FTD 2 wan public IP is opened 443 for sum web tires apps

kindly help me to get it successful configuration in CISCO

Re: Triple WAN 1/2/3

Marvin Rhoads — Tue, 26 Jul 2022 12:43:12 GMT

Are the "three ISP WAN connections from Same ISP" in different subnets?

Re: Triple WAN 1/2/3

Sharath Rajan — Tue, 26 Jul 2022 12:52:53 GMT

Hello

There is WAN 1 and 2 is 255.255.255.252

WAN 3 is 255.255.255.0 subnets are running now in
SonicWALL from same ISP

Re: Triple WAN 1/2/3

Marvin Rhoads — Tue, 26 Jul 2022 13:04:25 GMT

FTD (and ASA) firewalls do not have the same capabilities as SonicWall does with respect to WAN interfaces. An FTD firewall generally has only a single external default route. While you can use policy-based routing to setup services on a second or third WAN interface, it requires that you know the remote addresses to be included in advance. You cannot, for example, say "Use the /24 for everything except web servers A and B which use WAN 1 and WAN 2 interfaces."

However, since you have a /24 why not just use it for all traffic?

Re: Triple WAN 1/2/3

Sharath Rajan — Tue, 26 Jul 2022 13:22:05 GMT

See , The problem is we don't have any Reverse Proxy for our web servers

each (2) web app is hosted each Static Public IP and open the port 443

the next web server APP is ready to host so we need to use another public IP .

so the Lan Traffic is mostly passed in WAN1 but the Web access is coming through WAN1 and WAN2 no expecting to next WAN3

so I am seeking the advise PBR configuration in FMC with appropriate NAT/PAT for WEB apps

what I can do please advise

Re: Triple WAN 1/2/3

giovanni.augusto — Wed, 27 Jul 2022 21:16:14 GMT

You could try to use ASA/FTD NAT-divert feature, it works similarly to PBR and sometimes this messes up with people but in your case it could even work in your favor

3 default routes with different Administrative distances like 1,20,30 (something you may do anyway and stick an IP SLA on the first two WANs since you will want redundancy for your Internet egress)
configure your Internet WAN either in 3 different ZONES or 1 ZONE and 3 different interface groups (I'd recommend this last one) and of course a zone for your INSIDE (or DMZ zone where your webservers are...either 2 zones doesn't matter)
configure OUTSIDE (zone or interface group) to INSIDE (or DMZ...) NAT, one for each Webserver you want to publish considering the specific interfaces where your public IP for each webserver is

This should allow your traffic to go as you expect but for regular egress traffic only your first interface will be serving egress Internet traffic.

NOTE:

#1 you need because NAT performs a route check, it fails if no route exists
#2 you need because NAT in FTD is either selected on ZONE pairs or interface group pairs (that exists solely for this and IP SLA purpose I believe)
#3 actually should do the trick ad NAT in ASA (and FTD by evolution) code manipulates the traffic flow significantly, hence the saying that a Firewall is not a router

One other option that comes to mind, but I haven't tried yet is to use VRF-lite context with leaking, if anyone ever tried that it would be interesting to know if that would work here

Re: Triple WAN 1/2/3

Sharath Rajan — Wed, 27 Jul 2022 14:55:13 GMT

Hello These all steps do you think will accept FMC because my firepower is registered under FMC

Can I configure 3 wan under PBR/SLA than nat divert .