Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
7
Replies

Dual ISP Configuration and PBR on Cisco Firepower

Go to solution
nomorenoless
Level 1
Level 1

‎02-23-2025 10:15 AM

Hello everyone,

Happy Sunday to all! I am currently working on a production environment with dual ISPs, and I'm encountering some challenges with my configuration. I hope to get some guidance from the community.

Network Setup:

  • ISP 1: Interface 1/1 with IP 22.22.22.22/31, gateway 22.22.22.23
  • ISP 2: Interface 1/2 with IP 33.33.33.33/31, gateway 33.33.33.34
  • DMZ 1: Interface 1/11 with IP 10.1.1.1/24
  • DMZ 2: Interface 1/12 with IP 10.2.2.1/24

I'm using a Cisco Firepower 4110 and trying to configure Policy-Based Routing (PBR) to manage traffic as follows:

  • Route traffic from Webservers in DMZ 1 through ISP 1
  • Route traffic from DMZ 2 through ISP 2

Current Configuration Attempt:

  1. Access Control Lists (ACLs):

    access-list DMZ1_ACL permit ip 10.1.1.0 0.0.0.255 any
access-list DMZ2_ACL permit ip 10.2.2.0 0.0.0.255 any

  2. Route-Map and FlexConfig:

    route-map RBP-ISP2 permit 10
match ip address DMZ2_ACL
set interface Ethernet1/2

  3. Interface Configuration:

    interface Ethernet1/12
ip policy route-map RBP-ISP2

  4. NAT Configuration:

    object network DMZ2_NETWORK
subnet 10.2.2.0 255.255.255.0
nat (inside,outside2) dynamic interface

Despite these efforts, traffic from DMZ 2 through ISP 2 is dead. I have tested with only ISP 2, but I can't seem to get it to work. Could anyone help point me in the right direction or identify any potential issues with my setup?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni
In response to nomorenoless

‎02-23-2025 11:12 AM

Based on your network setup and configuration, I can provide some guidance/insight to help for you resolve the issue/s.Your PBR configuration looks correct, but ensure you have a similar configuration for DMZ 1

route-map RBP-ISP1 permit 10
match ip address DMZ1_ACL
set interface Ethernet1/1
!
interface Ethernet1/11
ip policy route-map RBP-ISP1

Your NAT configuration for DMZ 2 looks correct. For DMZ 1, ensure you have

object network DMZ1_NETWORK
subnet 10.1.1.0 255.255.255.0
nat (inside,outside1) dynamic interface

Ensure you have proper static routes for both ISP

route outside1 0.0.0.0 0.0.0.0 22.22.22.23
route outside2 0.0.0.0 0.0.0.0 33.33.33.34

In regards to T-shoot and for traffic flow going to correct path if command you can employee/use to double check.

show nat detail
!
show route-map
!
packet-tracer input DMZ2 tcp 10.2.2.10 80 8.8.8.8 80
!
logging enable
logging console debugging
!

public-facing web servers, you should use static NAT

object network WEB_SERVER_DMZ2
host 10.2.2.10
nat (inside,outside2) static 33.33.33.35
!
object network WEB_SERVER_DMZ1
host 10.1.1.10
nat (inside,outside1) static 22.22.22.24
!

For port-Forwarding

object network WEB_SERVER_DMZ2
host 10.2.2.10
nat (inside,outside2) static interface service tcp 80 80
nat (inside,outside2) static interface service tcp 443 443
!

 

please do not forget to rate.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎02-23-2025 10:19 AM

There is no NAT for prefix 10.1.1.0/24 ??

MHM

0 Helpful

Go to solution
nomorenoless
Level 1
Level 1
In response to MHM Cisco World

‎02-23-2025 10:24 AM

hi @MHM Cisco World  my focus has been on configuring the NAT for the 10.2.2.0/24 network (DMZ 2) to route traffic through ISP 2 as test as mentioned before but about your question yes, I have:

object network DMZ1_NETWORK
   subnet 10.1.1.0 255.255.255.0
nat (inside,outside1) dynamic interface

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to nomorenoless

‎02-23-2025 11:45 AM

You use in NAT interface name inside and you mention DMZ1 and DMZ2' 

Can I see show interface ip breif 

MHM

0 Helpful

Go to solution
nomorenoless
Level 1
Level 1

‎02-23-2025 10:42 AM - edited ‎02-23-2025 10:45 AM

Thinking on the issue I will perform a test,

Reasoning:

  • Since I am trying to pass a public IP address to a Web Server I cannot do a broad network /24, instead be specific on the web server inside the network 10.2.2.0/24 by example 10.2.2.2/24.

Testing possible workaround:

object network WEB_SERVER
   host 10.2.2.2
nat (inside,outside2) static 33.33.33.35  (Example public IP)

or:

object network WEB_SERVER
   host 10.2.2.10
nat (inside,outside2) static interface service tcp 80 80
nat (inside,outside2) static interface service tcp 443 443

I will do further testing and report here but if anyone have a thought, please I will appreciate the help.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to nomorenoless

‎02-23-2025 10:46 AM

Use packet-tracer to check in which phase the traffic stop

MHM

0 Helpful

Go to solution
Sheraz.Salim
VIP Alumni
VIP Alumni
In response to nomorenoless

‎02-23-2025 11:12 AM

Based on your network setup and configuration, I can provide some guidance/insight to help for you resolve the issue/s.Your PBR configuration looks correct, but ensure you have a similar configuration for DMZ 1

route-map RBP-ISP1 permit 10
match ip address DMZ1_ACL
set interface Ethernet1/1
!
interface Ethernet1/11
ip policy route-map RBP-ISP1

Your NAT configuration for DMZ 2 looks correct. For DMZ 1, ensure you have

object network DMZ1_NETWORK
subnet 10.1.1.0 255.255.255.0
nat (inside,outside1) dynamic interface

Ensure you have proper static routes for both ISP

route outside1 0.0.0.0 0.0.0.0 22.22.22.23
route outside2 0.0.0.0 0.0.0.0 33.33.33.34

In regards to T-shoot and for traffic flow going to correct path if command you can employee/use to double check.

show nat detail
!
show route-map
!
packet-tracer input DMZ2 tcp 10.2.2.10 80 8.8.8.8 80
!
logging enable
logging console debugging
!

public-facing web servers, you should use static NAT

object network WEB_SERVER_DMZ2
host 10.2.2.10
nat (inside,outside2) static 33.33.33.35
!
object network WEB_SERVER_DMZ1
host 10.1.1.10
nat (inside,outside1) static 22.22.22.24
!

For port-Forwarding

object network WEB_SERVER_DMZ2
host 10.2.2.10
nat (inside,outside2) static interface service tcp 80 80
nat (inside,outside2) static interface service tcp 443 443
!

 

please do not forget to rate.
0 Helpful

Go to solution
nomorenoless
Level 1
Level 1

‎02-23-2025 02:36 PM

Thank you @Sheraz.Salim 

I appreciate the hint. The issue was indeed NAT, but it was more complex than initially thought due to my specific configuration. I'm handling a single public IP and can't route it to a /24 network. Therefore, I had to develop a more granular policy to address the network and web server's static IP.

I'll share some details of this configuration once I've finished implementing the network.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card