cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3477
Views
15
Helpful
5
Replies

Firepower (FTD) HA designs

rob.kiste
Level 1
Level 1

We are looking to get 2 new FTD's and want to deploy them in a HA pair, I've been going thru docs and designs and noticed all of them show a RTR as the edge device and both FTD's coming off of that. (with private ip addresses on the outside interfaces)

Can you do HA with keeping the Outside interface as a public ip? (So we do not need the additional RTR?)

My concern is that now all of my NAT'ing will be done on that RTR and not the FTD (managed by an FMC) Am i looking at this wrong?

 

FYI replacing my current 2110 and vFMC with a pair of 2130's and pFMC

 

Thanks,

Rob
FTD-HA.JPG

 

1 Accepted Solution

Accepted Solutions

@rob.kiste the diagrams in most guides tend to be oversimplified in some regards. As @balaji.bandi intimated you need Layer 2 connectivity between the FTD outside interfaces, typically the internet router would be in the same VLAN as the FTDs outside interfaces. For this you need a couple of switches (one will work, but less resilent). You do not need additional routers.

 

The IP addressing in the diagram is the 192.0.2.0/24 network, which isn't a private IP address range as such, but a special use network. Slightly misleading perhaps, but you don't need private IP addresses on the FTDs outside interface you can certainly use public IP address space.

 

An ISP wouldn't usually NAT unless you explictly requested it, normally their inside interface that connects to your outside interfaces would be in the public IP space, you'd control the nat translations, firewalling etc.

View solution in original post

5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

You can have Public IP outside, Does your Router can be Tranparent ? or You have spare Public IP address to use on FTD.

 

You can offload NAT from Router to FTD if you like to. ?

 

Only concern, what model is this router, does this capable of connecting 2 FTD and make necessary changes to your topology ?

Do you have any Layer 2 device (Switch ) between Router and FTD ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Current setup: FTD --> Outside_Int-->(public ip) ISP RTR in transparent mode.

 

 

What RTR models should I look at to place between the ISP RTR and my FTD's?

If the provider handing over ethernet you can directly terminate to switch and connect your FTD

 

 

LAN----FTD----Switch-----Provider

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@rob.kiste the diagrams in most guides tend to be oversimplified in some regards. As @balaji.bandi intimated you need Layer 2 connectivity between the FTD outside interfaces, typically the internet router would be in the same VLAN as the FTDs outside interfaces. For this you need a couple of switches (one will work, but less resilent). You do not need additional routers.

 

The IP addressing in the diagram is the 192.0.2.0/24 network, which isn't a private IP address range as such, but a special use network. Slightly misleading perhaps, but you don't need private IP addresses on the FTDs outside interface you can certainly use public IP address space.

 

An ISP wouldn't usually NAT unless you explictly requested it, normally their inside interface that connects to your outside interfaces would be in the public IP space, you'd control the nat translations, firewalling etc.

Thank you!

Rob

Review Cisco Networking for a $25 gift card