Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
571
Views
0
Helpful
5
Replies

FPR 1140 Source NAT Dual ISP Failover Config Using FDM

Chris Mickle
Level 1
Level 1

‎05-02-2025 05:41 AM

I have a few questions about trying to configure an FTD currently configured with multiple inside interfaces using source NAT to outside to work properly with a second ISP for failover purposes. I'm not trying to divide specific traffic between the two ISPs... This would be an all or nothing config. Use primary ISP for all inside networks always and fail over to second ISP only if primary is down.

I do not have FMC and have been unable to find any Cisco official documentation for configuring this function using FDM, however, every document I have found makes mention of using PBR to accomplish this goal, which as I understand, is configured using FlexConfig on FTD managed by FDM. I have been unable to find any documentation covering this.

Brief current network overview.

Inside 1        NAT to         WAN IP 1 on ISP 1

Inside 2        NAT to         WAN IP 2 on ISP 1

Inside 3        NAT to         WAN IP 3 on ISP 1

Etc...

In a failover scenario, I'm trying to accomplish the following...

Inside 1

Inside 2        ALL NAT to         WAN IP 1 on ISP 2

Inside 3

I did find the following unofficial guide to which seems to cover what I need for the most part.

FTD dual ISP using FDM – integrating IT

I have configured an interface for the second ISP, configured a static route for the second ISP. Set up the SLA monitor on the primary outside interface and added the second interface to the outside security zone.

Here are the questions...

First, in the above guide, the writer makes no mention of using PBR at all to accomplish this. Will that configuration even work as desired with PBR not configured meaning I misinterpreted the other documentation I was able to find?

Second, if the configuration from the guide will work, can I use a single any/any to ISP2_Int/interface NAT rule to translate all inside interfaces to the single secondary ISP WAN IP on failover or will I need to create separate NAT rules for each inside interface like I have now... IE Inside1/Inside1_subnet to ISP1_Int/ISP1_IP1 etc?

Hopefully I've been clear on what I'm asking. This is uncharted territory for me.

I would greatly appreciate any help anyone can provide.

0 Helpful
5 Replies 5

ahollifield
VIP
VIP

‎05-02-2025 07:51 AM

Why use FDM and not FMC?

0 Helpful

Chris Mickle
Level 1
Level 1
In response to ahollifield

‎05-02-2025 09:25 AM

I'm currently looking into it, but we only have two of these devices. I would like to, but it will come down ultimately to cost.

0 Helpful

MHM Cisco World
VIP
VIP

‎05-02-2025 08:10 AM

you use dynamic NAT ? if yes then 
you need only 

config three dyanmic NAT one for each inside-outside 
config PBR for direct traffic (routing not NATing)

MHM

0 Helpful

Chris Mickle
Level 1
Level 1
In response to MHM Cisco World

‎05-02-2025 09:29 AM

I used three inside-outside NAT mappings in my example, but in reality there are actually 12 so I was trying to avoid having to create that many. If that's what has to be done though so be it. I just thought there might be a simpler way.

Your second statement about configuring PBR is my real big question. I have been unable to find any documentation about how to configure it in the FTD using FDM. I understand it is using FlexConfig, but I can't find the info on it.

0 Helpful

MHM Cisco World
VIP
VIP
In response to Chris Mickle

‎05-02-2025 12:18 PM

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/222879-configure-dual-active-route-based-site-t.html <<- this link how you use PBR in FDM, link talk about VTI but it work with multi ISP also 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card