Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3828
Views
15
Helpful
2
Replies

2 isp on FTD redundacy under Firesight managment center

bgaponenko
Level 1
Level 1

‎08-29-2017 07:21 AM - edited ‎02-21-2020 06:15 AM

Hi. I have FTD under Firesight managment center (with the last version  6.2.0.2). My firepower (routed mode) has two differnet ISP connections.  How can I configure ISP redundacy if I have also static NAT/PAT configuration? I know that one way to decide this problem is by implemeting flexconfig, but how....

Labels:
0 Helpful
2 Replies 2

bgaponenko
Level 1
Level 1

‎09-04-2017 08:57 AM

Help!
0 Helpful

kurttcot
Level 1
Level 1
In response to bgaponenko

‎09-08-2017 03:34 PM

Hi, I just ran in to this question myself trying to setup my dual FTD2110's HA with dual ISP redundancy.

 

Basically you have to setup your manual static one to one nat rules and manual dynamic PAT entries for each ISP interface. So you should have two rules for each nat entry. One for ISP1 and One for ISP2. If you just need ISP failover and dont need the secondary ISP link passing traffic when the primary link is up, you would just make two default routes and use SLA tracking on the first route.

 

ie = 0.0.0.0 0.0.0.0 isp1-gateway-ip metric 1(sla tracking setup to monitor first hop after wan gateway or other address)

, 0.0.0.0 0.0.0.0 isp2-gateway-ip metric 254

 

So all traffic will route through isp1 until the sla monitor cant hit the monitored address, then it will remove the primary route and the isp2 route will become active and all traffic will flow in and out of that link.

 

Be sure to setup your access policy and such for both external zones.

 

---

 

If you want to load balance both links instead of using them as a failover, you would not use SLA monitoring on the default route and instead use Policy Based Routing.

 

The below is per Cisco...

 

access-list testacl extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0//Configure the extended ACL from objects-->Object management-->Access List-->Extended.

 

route-map testmap permit 12match ip address testaclset ip next-hop x.x.x.x// Configure the route map from objects-->Object management-->Route Map.//The next-hop ip address can be configured under Set Clauses -> Others.

 

interface GigabitEthernet0/0policy-route route-map testmap//Use the flex config from Devices-->FlexConfig-->Under System Defined use the template Policy_Based_Routing as an example. (The template is an example of PBR policy configuration. It can not be used as it is for deployment. User needs to copy this, modify interface name and insert a route-map object variable to deploy PBR configurations. Route-map object is managed by FMC).

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card