topic Dual Homed Firepowe FTD FDM 6.2.3 Running NAT using PBR in Network Security

Dual Homed Firepowe FTD FDM 6.2.3 Running NAT using PBR

Yuslivan — Fri, 21 Feb 2020 17:21:48 GMT

hi all
we have dual homed internet in our Internet Edge firewall (firepower FTD FDM 6.2.3).
both of them running NAT publishing for different application, for example : application A (segment 0) and application B (segment 9), application A using nat via Provider A (ip public segment A), and application B using nat via provider B (ip public segment B).

We know the solution is using PBR, we try to input PBR config via flexconfig (the only one way to deploy the configuration).

here it is our config editor :

access-list AppA permit ip 192.168.0.0 0.0.0.255 any
access-list AppB permit ip 192.168.9.0 0.0.0.255 any
route-map PBR permit 10
match ip address AppA
set ip next-hop a.a.a.a
route-map PBR permit 20
match ip address AppB
set ip next-hop b.b.b.b
route-map PBR permit 30
interface Ethernet1/1
policy-route route-map PBR

and we're using flexconfig object to make that config deployed. the config deployed with error.

but the thing is, access-list object doesnt appear on running configuration (although other object and command is appear) in Firepower. We check it via Console. So the traffic of all segment including dmz, outside, inside (segment A and segment B) etc can not be ping and access by each other. actually before connecting IP public B and do PBR, ip public A running well on Firepower machine. Since we deploy a new connection for ip public segment B (migration phase) and input those command, everything goes wrong.

is there any solution for my case? since we know that ACL object is not entered, but other object including interface pbr configuration seems like enforced to enter to my FP

is there a Firepower FDM limitation?

please help me

Re: Dual Homed Firepowe FTD FDM 6.2.3 Running NAT using PBR

Rob Ingram — Thu, 01 Aug 2019 18:22:52 GMT

HI,

It's not possible to configure PBR on FTD using FDM, the only option is if you are configuring using the FMC. Reference here.

HTH

Re: Dual Homed Firepowe FTD FDM 6.2.3 Running NAT using PBR

tato386 — Thu, 03 Aug 2023 13:28:22 GMT

Hello @Rob Ingram

Is this still true? I'm guessing it might be because I don't see "set IP" option in FlexConfig and I'm on v7.3. What about CDO? I really don't want to have to setup an FMC just for PBR.

Thanks,

Re: Dual Homed Firepowe FTD FDM 6.2.3 Running NAT using PBR

Rob Ingram — Thu, 03 Aug 2023 13:41:13 GMT

@tato386 unfortunately no, apparently not https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb19682

Re: Dual Homed Firepowe FTD FDM 6.2.3 Running NAT using PBR

tato386 — Thu, 03 Aug 2023 15:28:00 GMT

I believe there is a CDO delivered FMC but I really don't want to deal with that for this box. I believe you can configure FTD directly from CDO without FMC. Does that count as FDM? Is there a chance CDO can do the required FlexConfig without FMC?

Thanks

Re: Dual Homed Firepowe FTD FDM 6.2.3 Running NAT using PBR

Rob Ingram — Thu, 03 Aug 2023 15:57:13 GMT

@tato386 native CDO (no cdFMC) basically relies on FDM, which unfortunately not going not going to help.

Re: Dual Homed Firepowe FTD FDM 6.2.3 Running NAT using PBR

tato386 — Thu, 03 Aug 2023 18:57:34 GMT

got it. thank you sir!