Adding 2nd ISP to existing Cisco FPR not as Secondary or Backup..

TheGoob · ‎10-17-2025

Hello

So currently I have a DSL MODEM - FPR1010 - SG350XG.

My Internet is DSL w/ 8 static IP's and the FPR does the PPPoE and is connected to the SG350XG with routing back towards the Internet... On the SG350XG I have 6 vlans [each single vlan is associated to it's own WAN ip via NAT on FPR] using 192.168.1.0 - 192.168.6.0. I then have Ports on the SG350XG associated with the preferred vlan.

We are getting a 2nd ISP service that is not involved with this Cisco system BUT I did want to have the SG350XG have a connection to this new ISP for routing purposes such as; I want to move my PC from Cisco Internet to NEW Internet but also, through SG350XG, have connection to my existing network.

Not sure if I am explaining it correctly, but I think I am.

192.168.1.0 - 192.168.6.0 do not see or utilize the New ISP but my PC using new ISP will see any of the 192.168.1.0 - 6.0 and be able to use its services. I assume there is some sort of PBR needed .. Either way I have the idea I want just not sure how this would work.

If the new ISP Router has let's say, 10.0.0.x with 10.0.0.1 as GW, I could assign an Interface on the SG an IP of 10.0.0.2. Then I would create a new vlan let's say 192.168.7.0 and have that associate/default route to the 10.0.0.1 as next hop? Would routing already be accepted as the new ISP Modem has an IP on the existing SG? Would I need to set up PBR for 192.168.7.0 to use 10.0.0.1 for it's Internet, or would that be implied being that I create the vlan 7.0 in association with the Route of 10.0.0.1. Sorry a lot here.

End of day; I want existing Cisco network to not even know of the New ISP [Unless at a later date I need that] but I want the new ISP to be 100% itself, but have routing to my existing network for services I host locally.. NAS, Plex, file sharing etc.

TheGoob · ‎10-17-2025

I am assuming all I need to do is;

1.) assign GE 1/2 on SG350XG a static IP from the network of the ISP 2 Router

2.) create a vlan 7, 192.168.7.0 Network

3.) assign an Interface on SG350XG [i.e GE 1/10] to vlan 7

4.) create a PBR for vlan 7 to use GE 1/2 /ISP2 for routing

5.).......... Would vlan 1-7 [all vlans] be able to now communicate from a LAN standpoint but vlan 1-6 uses the default route [0.0.0.0 0.0.0.0 172.16.2.1] for it's route back to ISP 1 [Internet] and vlan 7 will use GE 1/2 [not sure it's IP yet] for it's route to

balaji.bandi · ‎10-17-2025

Make it simple, you can create another VLAN, allocate a new ISP and make a route for the specific subnet towards ISP2, which should fix the issue.

Thinking your ISP router/whatever can do NAT for your Local IP address.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎10-17-2025

So I would create my vlan 7 192.168.7.0 and configure it to an interface 1/10. I would then have my Interface 1/2 172.16.2.2 connect to my ISP2. I would then create a route 'ip route 192.168.7.0 255.255.255.0 172.16.2.2'?

balaji.bandi · ‎10-18-2025

Make a small diagram and look for routing paths, then you can easily understand, rather than complicating.

This is more of a routing decision on where to send traffic and who does the NAT.

Interface 1/2 172.16.2.2 connect to my ISP2. I would then create a route 'ip route 192.168.7.0 255.255.255.0 172.16.2.2'?

you mean VLAN 7 with 192.168.7.1 /24

1/2 - on switch 172.16.2.2 (thinking other side 172.16.2.1 IP)

'ip route 192.168.7.0 255.255.255.0 172.16.2.1

172.16.2.1 from this router return traffic for 192.168.7.0 towards 172.16.2.2 to work.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎10-18-2025

Ahh alright. That al makes sense, I guess I was just confused how the ISP2 Router would route back, but clearly through the path is has. I was over complicating it. Well tonight I set up the ISP2 so I will see how it goes, but I feel positive about it. ty

TheGoob · ‎10-18-2025

Well, after finally receiving ISP2 Router, I can not change a thing in it.

It has a 10.3.0.1/16 Subnet and my SG Interface obtains a 10.3.137.29 IP address.

I made a vlan 7, 192.168.7.1 and made a Static Route '192.168.7.0 255.255.255.0 10.3.0.1' and nothing. I have to assume that the SG just can not see 10.3.0.1 through the 10.3.137.29 IP... I really do not understand. The route as stated does not work and I tried some variations to no avail.

balaji.bandi · ‎10-19-2025

Suppose you do not have an opportunity to make changes to the ISP router. In that case, you need to rely on another device that does another NAT (if you like to have communication with other VLANs or if you like to use ISP2 alone, then configure the switch as a Layer2 VLAN and let the user get an IP address from the ISP Router.

ISP2 router --- siwtch layer2 --- user Pc get IP from ISP Router.

ISP2 Router---Internal NAT Router---switch - PC

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎10-19-2025

ISP2 router --- siwtch layer2 --- user Pc get IP from ISP Router.

This means that PC’s will get an IP but can not communicate with other vlans?

ISP2 Router---Internal NAT Router---switch - PC

This means that PC will obtain an IP but can also communicate with other vlans?

balaji.bandi · ‎10-19-2025

ISP2 router --- siwtch layer2 --- user Pc get IP from ISP Router.

This means that PC’s will get an IP but can not communicate with other vlans?

yes

ISP2 Router---Internal NAT Router---switch - PC

This means that PC will obtain an IP but can also communicate with other vlans?

yes

If you are having FTD 1K, add ISP router 2 and connect to one of the port that should fix your issue.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎10-19-2025

Wait a second. That is genius.

Currently my FPR has a Static Route to find 6 Networks, 192.168.1.0 -192.168.6.0 Net-Hop is 172.16.1.2 [SG350XG GE 1/1, 172.16.1.1 is FPR GE 1/3 Interface] and I have NAT set up as I need.

What you are saying is I.E on FPR I can connect GE 1/2 to my StarLink and can set it Static [let's say 10.3.15.5]. Can I add to existing route to find 192.168.7.0 through 172.16.1.2 like the others or would it need it's own static route? Also I would need to create NAT entry, dynamic, for 192.168.7.0 to 10.3.15.5?

TheGoob · ‎10-19-2025

Alright so I’m obviously not going to sit and wait for answers I clearly wanna be committed and try to figure it out;

Here is where I am.

On FPR GE 1/5 I have DHCP to StarLink, it obtains 10.3.51.71.
On FPR GE 1/6 I have a Routed Interface with IP 10.0.2.1.
On FPR I create a dynamic NAT ‘1/6 lan starlink_lan any statlink_wan interface any’. [1/6 is lan interface, starlink_lan is 192.168.7.0, starlink_wan is interface wan interface and interface is cause I have no idea what else to choose]

On FPR I have a static route ‘starlink_lan interface to 192.168.7.0/24 to 10.0.2.2 GW

On SG350XG I have GE 1/10 set L3 and 10.0.2.2 IP. I create a vlan 7, 192.168.7.0. I assign GE 1/8 to vlan 7. I have a static route ‘192.168.7.0/24 10.0.2.1’.

From a PC that obtains an IP in vlan 7, it grabs 192.168.7.2. I can ping 192.168.7.1, 10.0.2.2 and 10.0.2.1 but that’s it. No Internet access.

Not sure what I am missing here .

balaji.bandi · ‎10-19-2025

NAT is an important point to configure using FDM. Make sure you NAT the IP address correctly. Looks like you're ok on routing now since you're able to reach all of them

For guidance, look below. Guide :

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/223114-configure-dual-isp-on-ftd-using-fdm.html

make sure you have routing FTD to go to ISP2, by default all the routing go to ISP1

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

TheGoob · ‎10-20-2025

Well I can say I did not create a ISP2 Default Route Out... I will do that.

After reading this over, this is what I came up with to implement when I get home;

@balaji.bandi wrote:

NAT is an important point to configure using FDM. Make sure you NAT the IP address correctly. Looks like you're ok on routing now since you're able to reach all of them

For guidance, look below. Guide :

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/223114-configure-dual-isp-on-ftd-using-fdm.html

make sure you have routing FTD to go to ISP2, by default all the routing go to ISP1

FPR

WAN:

ISP1 - PPPoE - IP x.x.x.182 - Automatic Default Route

ISP2 - Statc - IP 10.3.177.124 - Default Route 'Network 192.168.7.0/24 GW 10.3.0.1 Interface ISP2' [GW is the GW for the ISP2 Interface]

NAT:

NAT ISP1 - inside/outside 192.168.1.0/24 any any x.x.x.177

NAT ISP1 - inside/outside 192.168.2.0/24 any any x.x.x.178

NAT ISP1 - inside/outside 192.168.3.0/24 any any x.x.x.179

NAT ISP1 - inside/outside 192.168.4.0/24 any any x.x.x.180

NAT ISP1 - inside/outside 192.168.5.0/24 any any x.x.x.181

NAT ISP1 - inside/outside 192.168.6.0/24 any any x.x.x.182

NAT ISP2 - inside2/outside2 192.168.7.0/24 any any 10.3.177.124 [Interface ISP2 IP]

Static Routes [to find these Networks on the SG350XG]:

ISP1 Static Route - 'inside ipv4 192.168.1.0/24 - 192.168.6.0/24 10.0.0.2' 10.0.0.2 is the IP of GE 1/1 SG

ISP2 Static Route - 'inside2 ipv4 192.168.7.0/24 10.0.2.2' 10.0.2.2 is IP of GE 1/2 SG

ACL:

ISP1 - 'inside_zone any any outside zone any any'

ISP2 - 'inside1_zone any any outside2_zone any any'

TheGoob · ‎10-20-2025

Put Starlink into Bypass mode, no go. It just does not work.

ALL DHCP Gives me is the IP and when making the static route out for wan, I don't know the GW, how am I to? They simply do not want you to use a 2nd NAT under their system.