Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
198
Views
2
Helpful
3
Replies

FTD with multiple Outside Interfaces

dcanady55
Level 3
Level 3

‎04-29-2025 08:51 AM

Hello,

FTD's 2110 running 7.4.2.1 in HA. and ultimately trying to setup a site-to-site vpn between this FTD pair and anther FTD pair at our other datacenter. 

However, right now I'm just trying to route plain old internet traffic out of my second outside interface and I'm struggling. I have a feeling that PBR is my only way to go but wanted to explain what I've done to see if there's another way or if I am missing something.

I have a /29 from ISP and I enabled another interface on the FTD with one of those IP's in that range and labeled it Outside2 using the existing security zone of the original Outside. Not sure that matters as I didn't want to reinvent the wheel if we ever started sending traffic out of this interface. I have a static route at the top of my list pointing a test network 10.15.100.0/29 to this ISP's gateway. I can ping the gateway from the FTD. I then created a NAT rule and put it at the top of my list saying anything coming from the inside interface with an original source in the test network to use Outside2 interface and being translated to that interface's public IP. Then I setup a few packet captures on the FTD and using a test SVI on the inside sourcing my pings from 10.15.100.1 to something out on the web and it routes through the original outside interface and not the new one. Is PBR my only option? Thanks

dcanady55_0-1745941305772.png

 

Labels:
3 Replies 3

Rob Ingram
VIP
VIP

‎04-29-2025 09:09 AM - edited ‎04-29-2025 09:51 AM

@dcanady55 for the S2S VPN, you can just define a static route to the remote peer via OUTSIDE2 interface and obviously configure the remote firewall to peer with your OUTSIDE2 interface IP address.

Run packet-tracer from the CLI to simulate the traffic that you'd expect to be routed via PBR and provide the output. Here is an example of PBR that is similar to your scenario.

You could also look at the SDWAN functionality for application aware routing. https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/sd-wan-capabilities.html

 

dcanady55
Level 3
Level 3
In response to Rob Ingram

‎04-29-2025 12:58 PM

@Rob Ingram thanks for the response and will try the PBR. I'm not following the NAT example in the article but will play around with it and see what I can come up with. I eventually will need the FTD to track the main route out to the Internet and if that goes down flip over to the secondary route off this PBR. Hoping, I can accomplish that with this type of setup. I will try a few things and report back what happens. 

Thanks, 

0 Helpful

Rob Ingram
VIP
VIP
In response to dcanady55

‎04-29-2025 01:06 PM

@dcanady55 yes that sounds right. Here is an example of IP SLA monitor and tracking on the FTD.

To failover the VPN you could configure the peer with both IP addresses of your firewall, defining the secondary ISP as the primary. When/If failover occurs, DPD would bring down the tunnel and the peer would failover to the other interface. Or run a VTI to both interfaces, with the routing protocol to prefer one tunnel over the other. Upon failover traffic would re-route over the other tunnel.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card