Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1528
Views
5
Helpful
5
Replies

Cisco FMC dual home internet connection

Go to solution
loganati
Level 1
Level 1

‎02-14-2021 11:29 PM - edited ‎02-15-2021 01:14 AM

Hi everyone!

 

I stuck at point, can anyone explain me how to configure Cisco FMC to automatically switch to second Internet channel, when main is down.

 

I have this config

 

route Outside_KTC 0.0.0.0 0.0.0.0 188.127.36.49 5 track 3
route Outside 0.0.0.0 0.0.0.0 88.204.132.81 10
route Outside_KTC 8.8.8.8 255.255.255.255 188.127.36.49 1

 

sla monitor 1
type echo protocol ipIcmpEcho 8.8.8.8 interface Outside_KTC
num-packets 3
timeout 2000
threshold 2000
frequency 5
sla monitor schedule 1 life forever start-time now

 

Track 3
Response Time Reporter 1 reachability
Reachability is Up
342 changes, last change 15:00:07
Latest operation return code: OK
Latest RTT (millisecs) 70
Tracked by:
STATIC-IP-ROUTING 0

 

NAT:

Manual NAT Policies (Section 3)
1 (inside) to (Outside_KTC) source dynamic NAT_networks interface destination static any_IPv4 any
translate_hits = 15371055, untranslate_hits = 22239611
2 (inside) to (Outside) source dynamic NAT_networks interface description KT Channel
translate_hits = 0, untranslate_hits = 0

 

So, it looks like everything have to work fine, at least for me. I emulated 1st internet channel (Outside_KTC) down state, SLA went in down state and default route changes its direction, but Internet doesn't work over 2nd channel (Outside) until I disable NAT rule for 1st channel. Have any idea how configure it to work automatically? How to force NAT perform ip routing table lookup?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-15-2021 03:08 AM

FMC is generally a Management platform - Dual Gateway handles by Edge devices - like FTD or Your Internet Edge Routers Failover mechanism.

 

if you looking to deploy this on FTD watch the below video :

 

https://www.youtube.com/watch?v=MKcSBTJ55e8

https://integratingit.wordpress.com/2020/08/14/ftd-dual-isp-failover/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Cisco FTD Policy Based Routing
Cisco FTD Policy Based Routing
youtube.com/watch?v=MKcSBTJ55e8
Cisco FTD policy based routing (PBR) with IP SLA using Flexconfig on FMC LinkedIn: https://www.linkedin.com/in/ahmed-shalaby1/
5 Replies 5

Go to solution
pieterh
VIP
VIP

‎02-15-2021 03:07 AM

FMC is "just" central management this will not switch between internet connections
my suggestion is to also add a "track" to the NAT statement, so the firewall will use the other NAT plus outbound route

0 Helpful

Go to solution
loganati
Level 1
Level 1
In response to pieterh

‎02-15-2021 03:16 AM

It's obvious, but configuration to deploy on devices performs in the FMC.

Have any idea how to add track to NAT rule in FMC? Can't see this option.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-15-2021 03:08 AM

FMC is generally a Management platform - Dual Gateway handles by Edge devices - like FTD or Your Internet Edge Routers Failover mechanism.

 

if you looking to deploy this on FTD watch the below video :

 

https://www.youtube.com/watch?v=MKcSBTJ55e8

https://integratingit.wordpress.com/2020/08/14/ftd-dual-isp-failover/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Cisco FTD Policy Based Routing
Cisco FTD Policy Based Routing
youtube.com/watch?v=MKcSBTJ55e8
Cisco FTD policy based routing (PBR) with IP SLA using Flexconfig on FMC LinkedIn: https://www.linkedin.com/in/ahmed-shalaby1/

Go to solution
loganati
Level 1
Level 1
In response to balaji.bandi

‎02-15-2021 08:11 AM

Thanks a lot, second link was a really helpful. You have to use Auto NAT rules, but can't use the same source objects, so you have to create 2 different network object with the same address space inside. It works!

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to loganati

‎02-15-2021 09:55 AM

yes, that is the trick, nice to know all working as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents