cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
6
Replies

Triple WAN 1/2/3

Sharath Rajan
Level 1
Level 1

Dear Experts 

Kindly seeking your advises because of that I have running SonicWALL firewall with three ISP WAN connections from Same ISP 

and the migration process is going on from SonicWALL to FMC 7.0/1200 FTD

how to configure the 3 WAN in FMC/FTD 2 wan public IP is opened 443 for sum web tires apps 

kindly help me to get it successful configuration in CISCO 

 

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Are the "three ISP WAN connections from Same ISP" in different subnets?

Hello

There is WAN 1 and 2 is 255.255.255.252

WAN 3 is 255.255.255.0 subnets are running now in
SonicWALL from same ISP


Marvin Rhoads
Hall of Fame
Hall of Fame

FTD (and ASA) firewalls do not have the same capabilities as SonicWall does with respect to WAN interfaces. An FTD firewall generally has only a single external default route. While you can use policy-based routing to setup services on a second or third WAN interface, it requires that you know the remote addresses to be included in advance. You cannot, for example, say "Use the /24 for everything except web servers A and B which use WAN 1 and WAN 2 interfaces."

However, since you have a /24 why not just use it for all traffic?

Sharath Rajan
Level 1
Level 1

See , The problem is we don't have any Reverse Proxy for our web servers  

each (2) web app is hosted each Static Public IP and open the port 443 

the next web server APP is ready to host so we need to use another public IP .

so the Lan Traffic is mostly passed in WAN1 but the Web access is coming through WAN1 and WAN2 no expecting to next WAN3

so I am seeking the advise PBR configuration in FMC with appropriate NAT/PAT for WEB apps 

what I can do please advise 

 

 

 

You could try to use ASA/FTD NAT-divert feature, it works similarly to PBR and sometimes this messes up with people but in your case it could even work in your favor

  1. 3 default routes with different Administrative distances like 1,20,30 (something you may do anyway and stick an IP SLA on the first two WANs since you will want redundancy for your Internet egress)
  2. configure your Internet WAN either in 3 different ZONES or 1 ZONE and 3 different interface groups (I'd recommend this last one) and of course a zone for your INSIDE (or DMZ zone where your webservers are...either 2 zones doesn't matter)
  3. configure OUTSIDE (zone or interface group) to INSIDE (or DMZ...) NAT, one for each Webserver you want to publish considering the specific interfaces where your public IP for each webserver is

This should allow your traffic to go as you expect but for regular egress traffic only your first interface will be serving egress Internet traffic.

NOTE: 

  • #1 you need because NAT performs a route check, it fails if no route exists
  • #2 you need because NAT in FTD is either selected on ZONE pairs or interface group pairs (that exists solely for this and IP SLA purpose I believe)
  • #3 actually should do the trick ad NAT in ASA (and FTD by evolution) code manipulates the traffic flow significantly, hence the saying that a Firewall is not a router

One other option that comes to mind, but I haven't tried yet is to use VRF-lite context with leaking, if anyone ever tried that it would be interesting to know if that would work here

Sharath Rajan
Level 1
Level 1

Hello These all steps do you think will accept FMC because my firepower is registered under FMC 

Can I configure 3 wan under PBR/SLA than nat divert .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: