topic Re: Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture in Network Security

Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

lmgomes — Mon, 30 Jun 2025 13:41:32 GMT

Dear Team,

We have an FTD cluster in HA (a/p) managed by an FMC (all on version 7.4.2) and we are redesigning the architecture of the current solution. The new solution is intended to have two internet links (primary/secondary) with dynamic routing (BGP), with the ISP announcing the default route and the FTDs announcing a public network (a diagram is attached). From the aforementioned public network, one IP address will be used for the IPSec L2L and SSL VPN remote access tunnels and the rest for NAT.

Is the use of a Loopback interface supported to terminate IPSec L2L and SSLVPN remote access tunnels?

What would be the best approach/configuration to make this solution work?

Thank you

Re: Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

Rob Ingram — Mon, 30 Jun 2025 13:52:33 GMT

@lmgomes you can use the loopback interface for L2L IPSec VPN. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/vpn-s2s.html

"Choose the tunnel source interface from the Tunnel Source drop-down list.

The VPN tunnel terminates at this interface, a physical or loopback interface"

Guide

https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface

https://secure.cisco.com/secure-firewall/v7.3/docs/dynamic-virtual-template-interface-dvti

Although I don't believe you can use a loopback for Remote Access VPN, you'd have to terminate on the outside interface.

Re: Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

MHM Cisco World — Mon, 30 Jun 2025 15:41:41 GMT

Let start

1- ssl vpn it hard to make one isp for it and other for NAT since in end the ssl vpn access from internet and use randomly public IP so yoh can not' you need to use one ISP for both ssl vpn and NAT

2- l2l VPN you can different ISP' ehat you need to use two static route

A- static route for remote peer IP of VPN

B- static route for remote VPN subnet (remote protect subnet)

MHM

Re: Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

lmgomes — Tue, 01 Jul 2025 13:06:21 GMT

Hi @Rob Ingram

Thank you for your reply. Indeed, the loopback interface is a solution for IPSec L2L.

For SSL VPN remote access, and since we will have two internet links and it is a requirement to use one of the IPs from the public range, I have to find another solution.

Thanks

Re: Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

lmgomes — Tue, 01 Jul 2025 13:24:47 GMT

Hi @MHM Cisco World

I may not have explained myself well and this may have caused some confusion. In the solution we intend to implement, we will have two internet links with the ISP, one main (always active) and another secondary (as a backup in case the main one fails). Since we have a public IP range, we will implement dynamic routing (BGP) to announce the public IP range we have to the ISP and receive the DefaultRoute. As for the use of our public IP range, an IP will be used, and it will always be the same, to terminate the IPSec L2L and SSLVPN remote access tunnels and the remaining IP addressing for NAT.

Thank you

Re: Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

Rob Ingram — Tue, 01 Jul 2025 13:27:03 GMT

@lmgomes we do you need to use one of the IPs from the public range using a loopback? You can still connect to the physical IP address of the FTD, with failover to the other. Or you could use a cloud load balancer to load balance the connections to either FTD outside interface.

Re: Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

Aref Alsouqi — Tue, 01 Jul 2025 13:28:27 GMT

If you use FQDN for the RA VPN and your DNS provider allows configuring a primary and a secondary public IPs for the FQDN resolution and monitor their status, then you could go with that solution. Basically what will happen is that when the remote clients try to connect to your VPN they will use the FQDN, and if the primary ISP link is down your DNS provider will remove that IP from the list, so the DNS resolution will fallback to the secondary ISP public IP. Alternatively, you could rely on Secure Client profile where you configure the primary and the backup servers.

Re: Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

MHM Cisco World — Tue, 01 Jul 2025 13:48:51 GMT

You run cluster not primary/backup HA FTD ?

MHM