cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4275
Views
0
Helpful
2
Replies

FTD with two outside interfaces

dejan_jov1
Level 1
Level 1

Hi,

 

I need to configure an Firepower 2110 so that it has two Ouside interfaces.

Offcourse, I will put an Default Gateway route on interface Outside_1 and I wil have all my traffic go this direction. But I need e.g. that my second, Outside_2, interface be an AnyConnect gateway. What options do I have? I assume that FTD doesn't allow two active default routes to two different interfaces. 

 

My idea is that I configure an Router with Source and destination NAT on Outside_2 interface so that the FTD only sees that Router on this Interface but this would be just too complicated. Is there any other solutions?

 

Thanks 

Dejan

1 Accepted Solution

Accepted Solutions

Hi,

 

I configured PBR over FlexConfig on this Firepower so it solved this problem. The FlexConfig was a little bit tricky to configure but at the end it’s functioning as expected. The issue that I think that I still have here is that the FlexConfig isn’t really supported. From the FMC Configuration Guide:

 

"FlexConfig features may become deprecated at any time. For fully guaranteed feature support, you must wait for Firepower Management Center support. When in doubt, do not use FlexConfig policies."

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/flexconfig_policies.html?bookSearch=true#id_39808

 

I hope the migration from FlexConfig will not be painfull...

View solution in original post

2 Replies 2

You don't have another option. The source IPs are dynamic and the return
traffic will always go through default gateway. You option isn't too
complicated and commonly used. You can have multi-context deployment and
keep one-context for VPN use while the other one for internet.

Hi,

 

I configured PBR over FlexConfig on this Firepower so it solved this problem. The FlexConfig was a little bit tricky to configure but at the end it’s functioning as expected. The issue that I think that I still have here is that the FlexConfig isn’t really supported. From the FMC Configuration Guide:

 

"FlexConfig features may become deprecated at any time. For fully guaranteed feature support, you must wait for Firepower Management Center support. When in doubt, do not use FlexConfig policies."

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/flexconfig_policies.html?bookSearch=true#id_39808

 

I hope the migration from FlexConfig will not be painfull...

Review Cisco Networking for a $25 gift card