cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1959
Views
0
Helpful
1
Replies

Firepower FTD/FMC 6.7 BGP Route Insertion

andydaws
Level 1
Level 1

Hi, Currently have a 3rd party Firewall for Internet Access in a simplified view like below with transit VLAN's spread across 2 sites and as such can leave via either site but with a preference for the local, outbound traffic NAT's to the outside interface of each firewall.

 

Inbound traffic comes via a supplied small block of IP addresses like the ones below 84.3.2.192/28 (Example IP) these are advertised to the ISP using BGP with each Firewall having a lower preference for the other half of the block in case of failure this is then NATTED to internal Services

 

As BGP will only advertise routes for ones that are in the routing table we currently have two loopbacks addresses to do this all of which works nicely

 

Now I know that the Firepower does not support loopback addresses but from memory (long ago) on an ASA I seem to remember simply applying the NAT from Public to Private address and as long as the Private address was up this was good enough to bring up the route (Not tested with BGP though at the time). But this does not seem to be the case with the Firepower FTD's unless I am missing something or there is another way to accomplish this

 

Because the existing environment is live we are trying to match the existing environment then during a short outage window shut ports on old firewall then enable on new

 

Any ideas/links/help

 

Internet Network.jpg

1 Accepted Solution

Accepted Solutions

andydaws
Level 1
Level 1

Following up to let other people know as have seen other similar issues from other people I have found the resolution

 

To get a route into the routing table of the local device to then be advertised by BGP you can configure a Static Null route then add the network object

 
 
 

static null.JPG

You would think that this would just Blackhole the data inbound but this is where the magic occurs any NAT to the private address occurs before this routing decision.

View solution in original post

1 Reply 1

andydaws
Level 1
Level 1

Following up to let other people know as have seen other similar issues from other people I have found the resolution

 

To get a route into the routing table of the local device to then be advertised by BGP you can configure a Static Null route then add the network object

 
 
 

static null.JPG

You would think that this would just Blackhole the data inbound but this is where the magic occurs any NAT to the private address occurs before this routing decision.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: