Cisco FTD HA Pair + FMC - Two ISP links with BGP - Architecture

lmgomes · ‎06-30-2025

Dear Team,

We have an FTD cluster in HA (a/p) managed by an FMC (all on version 7.4.2) and we are redesigning the architecture of the current solution. The new solution is intended to have two internet links (primary/secondary) with dynamic routing (BGP), with the ISP announcing the default route and the FTDs announcing a public network (a diagram is attached). From the aforementioned public network, one IP address will be used for the IPSec L2L and SSL VPN remote access tunnels and the rest for NAT.

Is the use of a Loopback interface supported to terminate IPSec L2L and SSLVPN remote access tunnels?

What would be the best approach/configuration to make this solution work?

Thank you

Rob Ingram · ‎06-30-2025

@lmgomes you can use the loopback interface for L2L IPSec VPN. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/vpn-s2s.html

"Choose the tunnel source interface from the Tunnel Source drop-down list.

The VPN tunnel terminates at this interface, a physical or loopback interface"

Guide

https://secure.cisco.com/secure-firewall/v7.3/docs/loopback-interface

https://secure.cisco.com/secure-firewall/v7.3/docs/dynamic-virtual-template-interface-dvti

Although I don't believe you can use a loopback for Remote Access VPN, you'd have to terminate on the outside interface.

lmgomes · ‎07-01-2025

Hi @Rob Ingram

Thank you for your reply. Indeed, the loopback interface is a solution for IPSec L2L.

For SSL VPN remote access, and since we will have two internet links and it is a requirement to use one of the IPs from the public range, I have to find another solution.

Thanks

Rob Ingram · ‎07-01-2025

@lmgomes we do you need to use one of the IPs from the public range using a loopback? You can still connect to the physical IP address of the FTD, with failover to the other. Or you could use a cloud load balancer to load balance the connections to either FTD outside interface.

Aref Alsouqi · ‎07-01-2025

If you use FQDN for the RA VPN and your DNS provider allows configuring a primary and a secondary public IPs for the FQDN resolution and monitor their status, then you could go with that solution. Basically what will happen is that when the remote clients try to connect to your VPN they will use the FQDN, and if the primary ISP link is down your DNS provider will remove that IP from the list, so the DNS resolution will fallback to the secondary ISP public IP. Alternatively, you could rely on Secure Client profile where you configure the primary and the backup servers.

MHM Cisco World · ‎06-30-2025

Let start

1- ssl vpn it hard to make one isp for it and other for NAT since in end the ssl vpn access from internet and use randomly public IP so yoh can not' you need to use one ISP for both ssl vpn and NAT

2- l2l VPN you can different ISP' ehat you need to use two static route

A- static route for remote peer IP of VPN

B- static route for remote VPN subnet (remote protect subnet)

MHM

lmgomes · ‎07-01-2025

Hi @MHM Cisco World

I may not have explained myself well and this may have caused some confusion. In the solution we intend to implement, we will have two internet links with the ISP, one main (always active) and another secondary (as a backup in case the main one fails). Since we have a public IP range, we will implement dynamic routing (BGP) to announce the public IP range we have to the ISP and receive the DefaultRoute. As for the use of our public IP range, an IP will be used, and it will always be the same, to terminate the IPSec L2L and SSLVPN remote access tunnels and the remaining IP addressing for NAT.

Thank you

MHM Cisco World · ‎07-01-2025

You run cluster not primary/backup HA FTD ?

MHM