topic Re: Dual ISP Configuration and PBR on Cisco Firepower in Network Security

Dual ISP Configuration and PBR on Cisco Firepower

nomorenoless — Sun, 23 Feb 2025 18:15:35 GMT

Hello everyone,

Happy Sunday to all! I am currently working on a production environment with dual ISPs, and I'm encountering some challenges with my configuration. I hope to get some guidance from the community.

Network Setup:

ISP 1: Interface 1/1 with IP 22.22.22.22/31, gateway 22.22.22.23
ISP 2: Interface 1/2 with IP 33.33.33.33/31, gateway 33.33.33.34
DMZ 1: Interface 1/11 with IP 10.1.1.1/24
DMZ 2: Interface 1/12 with IP 10.2.2.1/24

I'm using a Cisco Firepower 4110 and trying to configure Policy-Based Routing (PBR) to manage traffic as follows:

Route traffic from Webservers in DMZ 1 through ISP 1
Route traffic from DMZ 2 through ISP 2

Current Configuration Attempt:

Access Control Lists (ACLs):

access-list DMZ1_ACL permit ip 10.1.1.0 0.0.0.255 any
access-list DMZ2_ACL permit ip 10.2.2.0 0.0.0.255 any

Route-Map and FlexConfig:

route-map RBP-ISP2 permit 10
match ip address DMZ2_ACL
set interface Ethernet1/2

Interface Configuration:

interface Ethernet1/12
ip policy route-map RBP-ISP2

NAT Configuration:

object network DMZ2_NETWORK
subnet 10.2.2.0 255.255.255.0
nat (inside,outside2) dynamic interface

Despite these efforts, traffic from DMZ 2 through ISP 2 is dead. I have tested with only ISP 2, but I can't seem to get it to work. Could anyone help point me in the right direction or identify any potential issues with my setup?

Re: Dual ISP Configuration and PBR on Cisco Firepower

MHM Cisco World — Sun, 23 Feb 2025 18:19:11 GMT

There is no NAT for prefix 10.1.1.0/24 ??

MHM

Re: Dual ISP Configuration and PBR on Cisco Firepower

nomorenoless — Sun, 23 Feb 2025 18:24:58 GMT

hi @MHM Cisco World my focus has been on configuring the NAT for the 10.2.2.0/24 network (DMZ 2) to route traffic through ISP 2 as test as mentioned before but about your question yes, I have:

object network DMZ1_NETWORK subnet 10.1.1.0 255.255.255.0 nat (inside,outside1) dynamic interface

Re: Dual ISP Configuration and PBR on Cisco Firepower

nomorenoless — Sun, 23 Feb 2025 18:45:52 GMT

Thinking on the issue I will perform a test,

Reasoning:

Since I am trying to pass a public IP address to a Web Server I cannot do a broad network /24, instead be specific on the web server inside the network 10.2.2.0/24 by example 10.2.2.2/24.

Testing possible workaround:

object network WEB_SERVER host 10.2.2.2 nat (inside,outside2) static 33.33.33.35 (Example public IP)

or:

object network WEB_SERVER host 10.2.2.10 nat (inside,outside2) static interface service tcp 80 80 nat (inside,outside2) static interface service tcp 443 443

I will do further testing and report here but if anyone have a thought, please I will appreciate the help.

Re: Dual ISP Configuration and PBR on Cisco Firepower

MHM Cisco World — Sun, 23 Feb 2025 18:46:52 GMT

Use packet-tracer to check in which phase the traffic stop

MHM

Re: Dual ISP Configuration and PBR on Cisco Firepower

Sheraz.Salim — Sun, 23 Feb 2025 19:12:38 GMT

Based on your network setup and configuration, I can provide some guidance/insight to help for you resolve the issue/s.Your PBR configuration looks correct, but ensure you have a similar configuration for DMZ 1

route-map RBP-ISP1 permit 10 match ip address DMZ1_ACL set interface Ethernet1/1 ! interface Ethernet1/11 ip policy route-map RBP-ISP1

Your NAT configuration for DMZ 2 looks correct. For DMZ 1, ensure you have

object network DMZ1_NETWORK subnet 10.1.1.0 255.255.255.0 nat (inside,outside1) dynamic interface

Ensure you have proper static routes for both ISP

route outside1 0.0.0.0 0.0.0.0 22.22.22.23 route outside2 0.0.0.0 0.0.0.0 33.33.33.34

In regards to T-shoot and for traffic flow going to correct path if command you can employee/use to double check.

show nat detail ! show route-map ! packet-tracer input DMZ2 tcp 10.2.2.10 80 8.8.8.8 80 ! logging enable logging console debugging !

public-facing web servers, you should use static NAT

object network WEB_SERVER_DMZ2 host 10.2.2.10 nat (inside,outside2) static 33.33.33.35 ! object network WEB_SERVER_DMZ1 host 10.1.1.10 nat (inside,outside1) static 22.22.22.24 !

For port-Forwarding

object network WEB_SERVER_DMZ2 host 10.2.2.10 nat (inside,outside2) static interface service tcp 80 80 nat (inside,outside2) static interface service tcp 443 443 !

Re: Dual ISP Configuration and PBR on Cisco Firepower

MHM Cisco World — Sun, 23 Feb 2025 19:45:10 GMT

You use in NAT interface name inside and you mention DMZ1 and DMZ2'

Can I see show interface ip breif

MHM

Re: Dual ISP Configuration and PBR on Cisco Firepower

nomorenoless — Sun, 23 Feb 2025 22:36:29 GMT

Thank you @Sheraz.Salim

I appreciate the hint. The issue was indeed NAT, but it was more complex than initially thought due to my specific configuration. I'm handling a single public IP and can't route it to a /24 network. Therefore, I had to develop a more granular policy to address the network and web server's static IP.

I'll share some details of this configuration once I've finished implementing the network.