Solved: Firepower (FTD) HA designs

rob.kiste · ‎10-19-2021

We are looking to get 2 new FTD's and want to deploy them in a HA pair, I've been going thru docs and designs and noticed all of them show a RTR as the edge device and both FTD's coming off of that. (with private ip addresses on the outside interfaces)

Can you do HA with keeping the Outside interface as a public ip? (So we do not need the additional RTR?)

My concern is that now all of my NAT'ing will be done on that RTR and not the FTD (managed by an FMC) Am i looking at this wrong?

FYI replacing my current 2110 and vFMC with a pair of 2130's and pFMC

Thanks,

Rob

Rob Ingram · ‎10-19-2021

@rob.kiste the diagrams in most guides tend to be oversimplified in some regards. As @balaji.bandi intimated you need Layer 2 connectivity between the FTD outside interfaces, typically the internet router would be in the same VLAN as the FTDs outside interfaces. For this you need a couple of switches (one will work, but less resilent). You do not need additional routers.

The IP addressing in the diagram is the 192.0.2.0/24 network, which isn't a private IP address range as such, but a special use network. Slightly misleading perhaps, but you don't need private IP addresses on the FTDs outside interface you can certainly use public IP address space.

An ISP wouldn't usually NAT unless you explictly requested it, normally their inside interface that connects to your outside interfaces would be in the public IP space, you'd control the nat translations, firewalling etc.

View solution in original post

balaji.bandi · ‎10-19-2021

You can have Public IP outside, Does your Router can be Tranparent ? or You have spare Public IP address to use on FTD.

You can offload NAT from Router to FTD if you like to. ?

Only concern, what model is this router, does this capable of connecting 2 FTD and make necessary changes to your topology ?

Do you have any Layer 2 device (Switch ) between Router and FTD ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

rob.kiste · ‎10-19-2021

Current setup: FTD --> Outside_Int-->(public ip) ISP RTR in transparent mode.

What RTR models should I look at to place between the ISP RTR and my FTD's?

balaji.bandi · ‎10-19-2021

If the provider handing over ethernet you can directly terminate to switch and connect your FTD

LAN----FTD----Switch-----Provider

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-19-2021

@rob.kiste the diagrams in most guides tend to be oversimplified in some regards. As @balaji.bandi intimated you need Layer 2 connectivity between the FTD outside interfaces, typically the internet router would be in the same VLAN as the FTDs outside interfaces. For this you need a couple of switches (one will work, but less resilent). You do not need additional routers.

The IP addressing in the diagram is the 192.0.2.0/24 network, which isn't a private IP address range as such, but a special use network. Slightly misleading perhaps, but you don't need private IP addresses on the FTDs outside interface you can certainly use public IP address space.

An ISP wouldn't usually NAT unless you explictly requested it, normally their inside interface that connects to your outside interfaces would be in the public IP space, you'd control the nat translations, firewalling etc.

rob.kiste · ‎10-19-2021

Thank you!

Rob