how to add dual isp in firepower threat defense

Salman.Baig · ‎01-31-2019

how to add two static route in firepower threat defense dual isp

for example

i have two subnet inside-zone

A> 10.0.1.1 255.255.255.0

B> 10.0.2.1 255.255.255.0

Two isp

outside zone

ISP1

iSP2

i need to A subnet going traffic isp1 nat and subnet B going to isp2 Nat.is it possible if possible please help how to do that

Mike.Cifelli · ‎02-09-2019

You can definitely accomplish your requirements. Since you have two ISP connections I would recommend using static route tracking. Basically FTD associates a static route using ICMP echo requests. Just make sure the other side can respond to the requests. This will allow both of your subnets to still get out if one of your ISP connections fails in the configured tracking time.

As for your NAT requirement use this link (literally shows step by step):

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212702-configure-and-verify-nat-on-ftd.html#anc7

HTH!

hoffa2000 · ‎02-10-2019

Hi

It sound like you're trying to set up policy-based routing which is supported by using FlexConfig. I haven't set it up myself in a production environment but have a look at https://www.youtube.com/watch?v=lakHhw9CR5Y which goes through the steps.

As a pointer to Cisco though, it would be a nice addition to the suggestion box to integrate this feature into the FMC.

Regards

Fredrik

hschaefers1 · ‎08-24-2022

Just wanted to update. Its 2022 and the FMC still can't preform like the old ASA could.

ASDM with all its flaws made this easy.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118962-configure-asa-00.html

Jack G · ‎10-21-2022

What can't it perform? It's pretty easy to create an IP SLA and apply it to a default route in FMC/FTD.