topic Re: FTD Management Interface Multiple ISPs in Network Security

FTD Management Interface Multiple ISPs

ste.ant — Wed, 27 Jul 2022 14:51:50 GMT

Hi,

I'm not able to manage FTD from its remote FMC when it fails over from ISP1 to ISP2.

- 1 x FTD 1010 (7.0.1.1)
- ISP1 connected to E1/1, ISP2 connected to E1/2
- FTD Management Interface connected to E1/3 (routed port)
- Route tracking enabled for ISP1

Long story short, when FTD fails over to ISP2, I can ping FMC on TCP/8305 from FTD Management Interface successfully but the "sf tunnel" won't come up. Performing a packet trace on the FTD shows that the Management Interface tries to go out through ISP1 even though the routing table tells it to go out ISP2 interface (it complains about a sub-optimal route).

Has anyone been able to get this to work?

Thank you!

Re: FTD Management Interface Multiple ISPs

MHM Cisco World — Wed, 27 Jul 2022 16:26:15 GMT

if you use NAT
add route-lookup to NAT

Re: FTD Management Interface Multiple ISPs

ste.ant — Wed, 27 Jul 2022 16:43:08 GMT

I have NAT configured but I can only use route-lookup if the original and translated source address is the same but it's not in my case (I have two rules - translate the Management Interface to (1) "isp1-outside" and (2) "isp2-outside" interface address). I do it this way to avoid the Management Interface from going over the VPN tunnel.

Re: FTD Management Interface Multiple ISPs

MHM Cisco World — Wed, 27 Jul 2022 16:53:00 GMT

the NAT is routed the traffic through the ISP1 even if the RIB is route via ISP2
for the NAT can you share the NAT you use?

Re: FTD Management Interface Multiple ISPs

ste.ant — Wed, 27 Jul 2022 17:00:10 GMT

Sure thing!

The NAT config below doesn't have the VPN rules added but for what I'm trying to do this is what I have configured:

Re: FTD Management Interface Multiple ISPs

ste.ant — Thu, 11 Aug 2022 17:07:32 GMT

Hi, it's still not working... any idea?

Re: FTD Management Interface Multiple ISPs

ste.ant — Tue, 13 Sep 2022 14:11:42 GMT

I figured it out -

I created two EEM FlexConfig objects:

My_EEM-FTD-MgmtIf_1

event manager applet NAT-FTD-MgmtIf1
event syslog id 622001
action 1 cli command "no nat (mgmt-ftd,outside) source static Host-FTDMgmtIf interface destination static HostFMC_outside HostFMC_outside service tcp_8305 tcp_8305"
action 2 cli command "clear conn address X.X.X.X"
output none

My_EEM-FTD-MgmtIf_2

event manager applet NAT-FTD-MgmtIf2
event syslog id 622001 occurs 2
action 1 cli command "nat (mgmt-ftd,outside) 1 source static Host-FTDMgmtIf interface destination static HostFMC_outside HostFMC_outside service tcp_8305 tcp_8305"
action 2 cli command "clear conn address X.X.X.X"
output none

My_EEM-FTD-MgmtIf_1 removes NAT statement to outside when outside is down (first occurrence of Syslog 622001). It also clears Mgmt interface connections to FMC (IP address X.X.X.X)

My_EEM-FTD-MgmtIf_2 adds NAT statement to outside in position 1 when outside2 is down ("every other" occurrence of Syslog 622001). It also clears Mgmt interface connections to FMC (IP address X.X.X.X)

Apply both FlexConfig objects to FTD using Append. Whenever the outside interface goes down/route to outside is removed from the routing table using route tracking, the static NAT rule for it is removed from the NAT table (this avoids NAT Divert) and when the outside interfaces is up/route tracking is up, the static NAT rule for it is re-added to the NAT table in position 1. Clearing the connections to the FMC is very important because if you don't they hang around and you'll end up in a situation where network traffic goes via ISP1 but FTD management traffic goes to FMC via ISP2.

I hope this helps someone.