topic Re: Internet Routing FTD 2120 in Network Security

Internet Routing FTD 2120

Darren Thompson — Fri, 16 Aug 2024 23:19:05 GMT

I have a FMC managing two 2120 devices. They are connected to our SD Wand circuit. We recently purchased a standalone internet circuit. I am trying to see if the visitor traffic on the network can be routed through the firewall and out the standalone circuit and not go through the SD wan. I have created a sub interface and assigned one of the interfaces to it. The traffic from the network comes to the core and a Nat is created to route it out to the stand alone. Does the interface need a statis IP to route the traffic out or can the interface do a layer 2 passthrough to let it out?

Re: Internet Routing FTD 2120

ccieexpert — Sat, 17 Aug 2024 07:50:17 GMT

you can do policy routing

https://integratingit.wordpress.com/2021/04/18/ftd-policy-based-routing/

so that only the visitor subnet will be policy routed to the new circuit.. see example

7.3 and 7.4 have added more sdwan type of capabilities for better control etc.. but plain and simple policy routing will work if you are on older versions..

Re: Internet Routing FTD 2120

MHM Cisco World — Sat, 17 Aug 2024 09:16:07 GMT

To answer we need more info.

You config fw with sdwan' usually sdwan use igp with device connect to service vpn' but here you use default route in fw to forward traffic to sdwan vedge router?

That I think why you ask' to forward traffic to internet you need additional defualt route and this make two defualt route in FTD and not work.

What ypu need is using IGP between ftd and sdwan to learn prefix of all other sdwan branches then config defualt route in ftd toward internet ISP.

It sdwan issue more than FW issue

MHM

Re: Internet Routing FTD 2120

ccieexpert — Sun, 18 Aug 2024 09:11:12 GMT

Please dont get confused with confusing statements 🙂

if i understand SDWAN is done by a ISP router or another router/firewall that is in front of your firewall. So essentially your firewall has a default route to this SDWAN router firewall/router and that provides the load balancing / sharing for existing internet circuits ? right ?

And you are getting another internet circuit ?

If this is all true, then please follow my instructions earlier with policy routing and that should just work fine ...

Re: Internet Routing FTD 2120

MHM Cisco World — Sun, 18 Aug 2024 09:54:10 GMT

please make review
how other SDWAN know there is internet ISP connect to FW and need to forward traffic to FW ??

PBR in FTD make other SDWAN edge routers know to access internet send traffic to FW !!!!!

pbr only work if all visitor subnet direct connect to FW.

please answer this

MHM