Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5793
Views
5
Helpful
8
Replies

Policy Based Routing on FTD (route-map) managed by FDM

INFOTECH.jw
Level 1
Level 1

‎11-24-2020 12:02 AM

Hello Community,

on an FPR-1010 device (Version FTD 6.6.1), managed by FDM I want to do a simple static load distribution by using policy based routing.

On CISCO ASA it is easy like this example:

interface Vlan1
 nameif inside
 policy-route route-map ROUTEMAP-INET2-OUT

object-group service g-TCP-PORTS-INET2 tcp
 port-object eq www
 port-object eq https

access-list ROUTEMAP-ACL-INET2-OUT extended permit tcp any any object-group g-TCP-PORTS-DSL
access-list ROUTEMAP-ACL-INET2-OUT extended permit <WHATEVER-YOU-WANT-TO-SEND-VIA-INET2>

route-map ROUTEMAP-INET2-OUT permit 10
 match ip address ROUTEMAP-ACL-INET2-OUT
 set ip next-hop <IP-ADDRESS-OF-INET2-GATEWAY>

Implementing this on a FPR-1010 I have to use Smart CLI as explained in https://www.cisco.com/c/en/us/td/docs/security/firepower/660/fdm/fptd-fdm-config-guide-660/fptd-fdm-route-maps.html

But I'm unable to configure next-hop (last line of code above)! As I saw the manual is only related to BGP Routing.

Any ideas to implement it without an FMC appliance?

Thanks for all input. 

2 people had this problem
0 Helpful
8 Replies 8

Mohammed al Baqari
Level 11
Level 11

‎11-24-2020 01:32 AM

Hi,

I don't think you have other options. Either FMC GUI or FlexConfig.

*** please remember to rate useful posts
0 Helpful

milanjovanovic82
Level 1
Level 1

‎04-22-2021 06:27 AM

Hello,

Flex config object doesn't give possibility to use route-map command it says 

Blacklisted cli error.

 

Is there any other way to resolve this with FTD 6.6.1

0 Helpful

AlexeyFokanov31798
Level 1
Level 1
In response to milanjovanovic82

‎07-02-2021 05:54 AM

how did you solve the problem?

0 Helpful

sparkf1
Level 1
Level 1
In response to milanjovanovic82

‎10-04-2021 10:23 AM

You can define route-map with "API Explorer" from FDM.

0 Helpful

sparkf1
Level 1
Level 1

‎10-04-2021 10:09 AM - edited ‎10-04-2021 10:20 AM

 

"set ip next-hop" can be configured by using Smart CLI as the screenshot below.
 

next-hop.jpg

I found that anything you can do in FMC, actually you can do it in FDM as well. FDM doesn't provide a GUI for all configurations, but basically you can do it by using "API Explorer".

 

For example, FDM doens't provide a way defining "set interface" command in route-map object, but you can do it by editing "route-map" object with the following code from "API Explorer". How do you know "id", "type", "version" and "name" of a interface? check Interface object from "API Explorer" you will get the answer.

 

{
  "version""dqxzjs2lg2tlc",
  "name""routemap01",
  "description"null,
  "entries": [
    {
      "sequence"10,
      "action""PERMIT",
      "interfaces": [
        {
          "id": "8d6c41df-3e5f-465b-8e5a-d336b282f93f",
          "type": "physicalinterface",
          "version": "mz2ho36wazdnw",
          "name": "outside"
        }
      ],

engineer467
Level 1
Level 1
In response to sparkf1

‎09-08-2022 10:43 AM

How do we attach this route-map to an interface?

Thanks

0 Helpful

rschlayer
Level 4
Level 4
In response to engineer467

‎09-08-2022 11:04 PM

I believe it is only possible via FlexConfig using the command

policy-route route-map YOUR-ROUTEMAP-NAME

BR
Rick

0 Helpful

engineer467
Level 1
Level 1
In response to rschlayer

‎09-09-2022 07:38 AM - edited ‎09-09-2022 07:50 AM

Thanks for the reply.

To attach it to inside interface, i think it will be-

interface Ethxx

policy-route route-map YOUR-ROUTEMAP-NAME

But I am afraid to test it in a live environment

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card