- Cisco Community
- Technology and Support
- Networking
- Routing
- Re: FDM Dual ISP Failover
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
FDM Dual ISP Failover
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2020 10:06 AM
FTD FP1140 with FDM 6.7. Configured an SLA monitor set to change default route to outside2 interface should outside interface be unavailable. However, I was looking for configuration confirmation for the SLA "failover", and was wondering if NATting inbound rules through both outside interfaces to the same inside devices is valid. I'm not sure if I can NAT from both outside interfaces to the same inside device for inbound email on port 25, but that's essentially what I need to do, should the primary outside interface go down, I need to allow the same inbound ports to the same inside devices, for smtp, https, etc though the outside2 interface. Below is what I have started with for this config, but I'm afraid it's incomplete. I have the SLA set so the default route changes should the primary outside interface goes down, and the inbound/NAT/ACL config for inbound smtp, https, but I likely need to know how to configure the same when the outside interface goes down and have the same inbound rules work from the outside2 interface. PS the outside interfaces are shutdown because this device is not in production yet.
Any help is greatly appreciated.
: Hardware: FPR-1140, 5279 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (16 cores)
:
NGFW Version 6.7.0
!
hostname firepower
enable password ***** encrypted
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto
ip local pool ClientVpn 192.168.168.0-192.168.168.255 mask 255.255.255.0
!
interface Ethernet1/1
shutdown
nameif outside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address x.x.x.130 255.255.255.240
!
interface Ethernet1/2
nameif inside
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet1/3
nameif hotair
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/8
shutdown
nameif outside2
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address y.y.y.195 255.255.255.248
!
interface Ethernet1/9
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/10
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/11
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet1/12
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif diagnostic
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
no ip address
!
ftp mode passive
ngips conn-match vlan-id
dns domain-lookup any
dns server-group Domain-Internal-DNS
name-server 192.168.0.240
name-server 192.168.0.6
domain-name Domain.internal
dns server-group CiscoUmbrellaDNSServerGroup
name-server 208.67.222.222
name-server 208.67.220.220
dns server-group CustomDNSServerGroup
name-server c.c.c.1
name-server c.c.c.2
object network ClientVpn
subnet 192.168.168.0 255.255.255.0
object network any-ipv4
subnet 0.0.0.0 0.0.0.0
object network any-ipv6
subnet ::/0
object network OutsideIPv4DefaultRoute
subnet 0.0.0.0 0.0.0.0
object network OutsideIPv4Gateway
host x.x.x.129
object network EmailFilter
host 192.168.0.252
object network Email2
host 192.168.0.7
object network |x.x.x.133
host x.x.x.133
object network Email1
host 192.168.0.241
object network DomainDNS
host 192.168.0.240
object network |x.x.x.132
host x.x.x.132
object network |x.x.x.131
host x.x.x.131
object network WebPlatform
host 192.168.2.25
object network DomainDNS2
host 192.168.0.6
object network SLAMonitorGoogleDNS
host 8.8.8.8
object network Outside2IPv4Gateway
host y.y.y.193
object network Outside2IPv4DefaultRoute
subnet 0.0.0.0 0.0.0.0
object network websantity
host a.a.a.251
object network alis_managment_1
host b.b.b.144
object network |y.y.y.197
host y.y.y.197
object network LAN
subnet 192.168.0.0 255.255.255.0
object network Hotair
subnet 192.168.2.0 255.255.255.0
object service _|NatOrigSvc_738f0cf3-324c-11eb-bc48-47090f5e2616
service tcp destination eq https
object service _|NatMappedSvc_738f0cf3-324c-11eb-bc48-47090f5e2616
service tcp destination eq https
object service _|NatOrigSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38
service tcp destination eq https
object service _|NatMappedSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38
service tcp destination eq https
object service _|NatOrigSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74
service tcp destination eq https
object service _|NatMappedSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74
service tcp destination eq https
object network PostOak
host 192.168.0.243
object network WillowOak
host 192.168.2.25
object network |y.y.y.195
host y.y.y.195
object service _|NatOrigSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9
service tcp destination eq smtp
object service _|NatMappedSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9
service tcp destination eq smtp
object-group service |acSvcg-268435457
service-object ip
object-group service |acSvcg-268435459
service-object tcp destination eq https
object-group service |acSvcg-268435460
service-object tcp destination eq https
object-group service |acSvcg-268435461
service-object tcp destination eq www
object-group service |acSvcg-268435462
service-object tcp destination eq https
object-group service |acSvcg-268435463
service-object udp destination eq domain
object-group network |acSrcNwg-268435463
network-object object DomainDNS2
network-object object DomainDNS
object-group service |acSvcg-268435458
service-object tcp destination eq smtp
object-group service |acSvcg-268435464
service-object tcp destination eq smtp
object-group service |acSvcg-268435465
service-object tcp destination eq www
service-object tcp destination eq https
object-group network NGFW-Remote-Access-VPN|natIpv4Grp
network-object object Hotair
network-object object LAN
object-group network NGFW-Remote-Access-VPN|natIpv4PoolGrp
network-object object ClientVpn
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Inside_Outside_Rule
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL advanced trust object-group |acSvcg-268435457 ifc inside any ifc outside2 any rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435459: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435459: L5 RULE: Https_Sanderling
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435459 object any-ipv4 ifc inside object Sanderling rule-id 268435459
access-list NGFW_ONBOX_ACL remark rule-id 268435460: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435460: L5 RULE: Https_Email2
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435460 object any-ipv4 ifc inside object Email2 rule-id 268435460
access-list NGFW_ONBOX_ACL remark rule-id 268435461: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435461: L5 RULE: Http
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc inside object any-ipv4 ifc outside object any-ipv4 rule-id 268435461
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435461 ifc inside object any-ipv4 ifc outside2 object any-ipv4 rule-id 268435461
access-list NGFW_ONBOX_ACL remark rule-id 268435462: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435462: L5 RULE: Https
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc inside object any-ipv4 ifc outside object any-ipv4 rule-id 268435462
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435462 ifc inside object any-ipv4 ifc outside2 object any-ipv4 rule-id 268435462
access-list NGFW_ONBOX_ACL remark rule-id 268435463: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435463: L5 RULE: Dns
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc inside object-group |acSrcNwg-268435463 ifc outside object any-ipv4 rule-id 268435463
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435463 ifc inside object-group |acSrcNwg-268435463 ifc outside2 object any-ipv4 rule-id 268435463
access-list NGFW_ONBOX_ACL remark rule-id 268435458: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435458: L5 RULE: Smtp_EmailFilter
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435458 any ifc inside object EmailFilter rule-id 268435458
access-list NGFW_ONBOX_ACL remark rule-id 268435464: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435464: L5 RULE: Smtp_EmailFilter_Out
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc inside any ifc outside any rule-id 268435464
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435464 ifc inside any ifc outside2 any rule-id 268435464
access-list NGFW_ONBOX_ACL remark rule-id 268435465: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435465: L5 RULE: Https_Http_out
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435465 ifc inside any ifc outside any rule-id 268435465
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435465 ifc inside any ifc outside2 any rule-id 268435465
access-list NGFW_ONBOX_ACL remark rule-id 1: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL advanced deny ip any any rule-id 1 event-log both
pager lines 24
logging enable
logging timestamp
logging permit-hostdown
mtu diagnostic 1500
mtu inside 1500
mtu hotair 1500
mtu outside2 1500
mtu outside 1500
no failover
no monitor-interface hotair
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup
nat (inside,outside) source dynamic any-ipv4 interface
nat (outside,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_738f0cf3-324c-11eb-bc48-47090f5e2616 _|NatMappedSvc_738f0cf3-324c-11eb-bc48-47090f5e2616
nat (outside,outside) source static any any destination static |x.x.x.131 Email1 service _|NatOrigSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38 _|NatMappedSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38
nat (outside2,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74 _|NatMappedSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74
nat (outside2,inside) source static any any destination static any-ipv4 EmailFilter service _|NatOrigSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9 _|NatMappedSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9
!
object network any-ipv4
nat (outside,inside) static EmailFilter service tcp smtp smtp
access-group NGFW_ONBOX_ACL global
route outside 0.0.0.0 0.0.0.0 x.x.x.129 1 track 1
route outside2 0.0.0.0 0.0.0.0 y.y.y.193 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server RSAGroup protocol radius
aaa-server RSAGroup host 192.168.0.254
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
http ::/0 inside
ip-client outside ipv6
ip-client outside
ip-client outside2 ipv6
ip-client outside2
ip-client hotair ipv6
ip-client hotair
ip-client inside ipv6
ip-client inside
ip-client diagnostic ipv6
ip-client diagnostic
snmp-server group AUTH v3 auth
snmp-server group PRIV v3 priv
snmp-server group NOAUTH v3 noauth
snmp-server location null
snmp-server contact null
snmp-server community *****
sysopt connection tcpmss 0
no sysopt connection permit-vpn
sla monitor 360158793
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
sla monitor schedule 360158793 life forever start-time now
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint penguin
enrollment terminal
crl configure
crypto ca trustpoint Penguin.Domain.tld
enrollment terminal
crl configure
crypto ca trustpoint DefaultInternalCertificate
enrollment terminal
keypair DefaultInternalCertificate
crl configure
crypto ca trustpool policy
crypto ca certificate chain DefaultInternalCertificate
certificate 09
308203eb 308202d3 a0030201 02020109 300d0609 2a864886 f70d0101 0b050030
quit
!
track 1 rtr 360158793 reachability
telnet timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.80-192.168.0.98 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point DefaultInternalCertificate outside
webvpn
port 6666
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnpkgs/anyconnect-win-4.7.04056-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnpkgs/anyconnect-macos-4.7.04056-webdeploy-k9.pkg 3
anyconnect profiles defaultClientProfile disk0:/anyconncprofs/defaultClientProfile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
webvpn
anyconnect ssl dtls none
anyconnect profiles value defaultClientProfile type user
group-policy VPN_Group_Policy1 internal
group-policy VPN_Group_Policy1 attributes
banner value You are connected.
dns-server value 192.168.0.240 192.168.0.6
dhcp-network-scope none
vpn-simultaneous-logins 1
vpn-idle-timeout 90
vpn-idle-timeout alert-interval 1
vpn-session-timeout 540
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-dns none
split-tunnel-all-dns disable
client-bypass-protocol disable
msie-proxy method no-modify
vlan none
address-pools none
ipv6-address-pools none
webvpn
anyconnect ssl dtls none
anyconnect mtu 1406
anyconnect ssl keepalive none
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles value defaultClientProfile type user
anyconnect ssl df-bit-ignore disable
always-on-vpn profile-setting
dynamic-access-policy-record DfltAccessPolicy
tunnel-group VPN_Profile_1 type remote-access
tunnel-group VPN_Profile_1 general-attributes
address-pool ClientVpn
authentication-server-group RSAGroup
authorization-server-group RSAGroup
accounting-server-group RSAGroup
default-group-policy VPN_Group_Policy1
tunnel-group VPN_Profile_1 webvpn-attributes
group-alias VPN_Profile_1 enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect snmp
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
app-agent heartbeat interval 1000 retry-count 3
snort preserve-connection
Cryptochecksum:1f63ee57e435112b74dc5d82e9c221e1
: end
- Labels:
-
Other Routers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2020 12:54 PM
Hello,
you can use EEM scripts to add/remove NAT entries based on the availability of the primary interface. The scripts are tied to the state of the tracking.
I think you have not finished all the NAT entries in the configuration you posted, but basically, the first script removes all entries that belong to the primary (outside), and adds the entries for the backup interface (outside2), and the second script does exactly the reverse.
event manager applet NAT_FAILOVER_1
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup"
action 4.0 cli command "no nat (inside,outside) source dynamic any-ipv4 interface"
action 5.0 cli command "no nat (outside,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_738f0cf3-324c-11eb-bc48-47090f5e2616 _|NatMappedSvc_738f0cf3-324c-11eb-bc48-47090f5e2616"
action 6.0 cli command "no nat (outside,outside) source static any any destination static |x.x.x.131 Email1 service _|NatOrigSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38 _|NatMappedSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38"
action 7.0 cli command "nat (outside2,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74 _|NatMappedSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74"
action 8.0 cli command "no nat (outside2,inside) source static any any destination static any-ipv4 EmailFilter service _|NatOrigSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9 _|NatMappedSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9"
action 9.0 cli command "object network any-ipv4"
action 9.1 cli command "no nat (outside,inside) static EmailFilter service tcp smtp smtp"
action 10.0 cli command "end"
action 11.0 cli command "clear xlate"
!
event manager applet NAT_FAILOVER_2
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup"
action 4.0 cli command "nat (inside,outside) source dynamic any-ipv4 interface"
action 5.0 cli command "nat (outside,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_738f0cf3-324c-11eb-bc48-47090f5e2616 _|NatMappedSvc_738f0cf3-324c-11eb-bc48-47090f5e2616"
action 6.0 cli command "nat (outside,outside) source static any any destination static |x.x.x.131 Email1 service _|NatOrigSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38 _|NatMappedSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38"
action 7.0 cli command "no nat (outside2,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74 _|NatMappedSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74"
action 8.0 cli command "nat (outside2,inside) source static any any destination static any-ipv4 EmailFilter service _|NatOrigSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9 _|NatMappedSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9"
action 9.0 cli command "object network any-ipv4"
action 9.1 cli command "nat (outside,inside) static EmailFilter service tcp smtp smtp"
action 10.0 cli command "end"
action 11.0 cli command "clear xlate"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2020 12:59 PM
George, thank you for the EEM script option, I didn't realize that feature existed for this FDM FP 1140. Do you know if EEM script can also update the webvpn config to allow connections inbound on the outside2 interface instead of the outside interface when the device fails over? I just found out that the vpn configuration on this device doesn't allow enabling more than one interface for the webvpn config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-28-2020 10:48 PM - edited 12-28-2020 10:48 PM
Hello,
EEM pretty much lets you change anything in the configuration. For the webvpn failover, just add actions 9.2 thru 9.5 (marked in bold
event manager applet NAT_FAILOVER_1
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "no nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup"
action 4.0 cli command "no nat (inside,outside) source dynamic any-ipv4 interface"
action 5.0 cli command "no nat (outside,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_738f0cf3-324c-11eb-bc48-47090f5e2616 _|NatMappedSvc_738f0cf3-324c-11eb-bc48-47090f5e2616"
action 6.0 cli command "no nat (outside,outside) source static any any destination static |x.x.x.131 Email1 service _|NatOrigSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38 _|NatMappedSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38"
action 7.0 cli command "nat (outside2,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74 _|NatMappedSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74"
action 8.0 cli command "no nat (outside2,inside) source static any any destination static any-ipv4 EmailFilter service _|NatOrigSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9 _|NatMappedSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9"
action 9.0 cli command "object network any-ipv4"
action 9.1 cli command "no nat (outside,inside) static EmailFilter service tcp smtp smtp"
action 9.2 cli command "exit"
action 9.3 cli command "webvpn"
action 9.4 cli command "no enable outside"
action 9.5 cli command " enable outside2"
action 10.0 cli command "end"
action 11.0 cli command "clear xlate"
!
event manager applet NAT_FAILOVER_2
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "conf t"
action 3.0 cli command "nat (inside,outside) source static NGFW-Remote-Access-VPN|natIpv4Grp NGFW-Remote-Access-VPN|natIpv4Grp destination static NGFW-Remote-Access-VPN|natIpv4PoolGrp NGFW-Remote-Access-VPN|natIpv4PoolGrp no-proxy-arp route-lookup"
action 4.0 cli command "nat (inside,outside) source dynamic any-ipv4 interface"
action 5.0 cli command "nat (outside,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_738f0cf3-324c-11eb-bc48-47090f5e2616 _|NatMappedSvc_738f0cf3-324c-11eb-bc48-47090f5e2616"
action 6.0 cli command "nat (outside,outside) source static any any destination static |x.x.x.131 Email1 service _|NatOrigSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38 _|NatMappedSvc_ac78e7c6-324c-11eb-bc48-ff012ced5f38"
action 7.0 cli command "no nat (outside2,inside) source static any any destination static Email1 Email1 service _|NatOrigSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74 _|NatMappedSvc_eb2dc309-324c-11eb-bc48-4d0c54713e74"
action 8.0 cli command "nat (outside2,inside) source static any any destination static any-ipv4 EmailFilter service _|NatOrigSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9 _|NatMappedSvc_f52c4e9c-3261-11eb-bc48-f14f8a18e0c9"
action 9.0 cli command "object network any-ipv4"
action 9.1 cli command "nat (outside,inside) static EmailFilter service tcp smtp smtp"
action 9.2 cli command "exit"
action 9.3 cli command "webvpn"
action 9.4 cli command "no enable outside2"
action 9.5 cli command " enable outside"
action 10.0 cli command "end"
action 11.0 cli command "clear xlate"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2020 05:46 AM
Thank you, George. Can you confirm that EEM scripts are valid to run on an FP1140 with FDM 6.7?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2020 06:02 AM
Hello,
you can use Flexconfig to get an EEM script to FTD. Have a look at the link below:
https://community.cisco.com/t5/network-security/firepower-threat-defense-and-eem/td-p/3676418
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2020 06:18 AM
Thanks again, George. However, we do not have, nor do we want to use FMC to manage this single device, but the link appears to show FMC management use for the flex config. The FP 1140 with FDM has a FlexConfig feature, but i'm not sure it will support configuring EEM scripts. Does EEM script configuration and setup and deployment to the FP 1140 require FMC management? If so, I would think EEM is not an option. Please let me know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-29-2020 06:33 AM
Hello,
I think FlexConfig does support EEM. Most of the commands that were available on the ASA are available in FlexConfig. I have looked around for a list of blacklisted commands (see link below), EEM is not one of them, so it should work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2020 06:07 PM
NAT for primary and backup is valid
This link for config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide