Buy or Renew
Buy or Renew
We are currently experiencing Knowledge Base board outages and are working to resolve. Thank you for your patience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
258
Views
1
Helpful
2
Replies

NAT setup with two ISP and front door VRF

tato386
Level 6
Level 6

‎09-24-2025 05:58 PM

I am experimenting with setup of dual ISP using front door VRF.  The gear is FMC/FTD 1120 running v7.6.2.  As per some AI research I reconfigured my NAT setup with manual NAT rules and selected specific source and destination interfaces.  However when I attempt a deploy I get this warning:

The source and destination interfaces for the NAT rule belong to different virtual routers. This rule will leak traffic from one virtual router to another.
However, to ensure correct routing, we recommend that you configure a static route leak between these virtual routers for the translated traffic: from [Global] to [vrf_ISP2].Without the route leak, in some cases the rule will not match all of the traffic you expect it to match, and the translation will not be applied.

I am not sure what to make of this?  I am thinking to add a static route in the global VRF to point to the ISP public subnet on ISP2 interface? Also not clear why I need this since docs also say FMC/FTD is VRF NAT aware?

Thoughts?

Thanks 

 

Labels:
0 Helpful
2 Replies 2

paul driver
VIP
VIP

‎09-24-2025 11:36 PM

Hello
do you have two vrfs to segregate traffic internally towards different isps correct 

so why are you trying to source traffic from one vrf to another -can you elaborate on what your trying to achieve?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

tato386
Level 6
Level 6
In response to paul driver

‎09-25-2025 06:33 AM

Hello @paul driver,

Yes, good point I should elaborate  bit.  Please see attached screenshot of a slide from a Cisco Live session describing the FTD VPN topology I am trying to build.  I actually have it setup now without using VRFs.   I have default routes pointing to each ISP with ISP1 being preferred due to a better (lower) metric.   I source the tunnels from the different ISP interfaces and both tunnels are up and appear to be working (bgp up and traffic going across, etc) but the routing bugs me. 

The ISP2 default route is not installed (higher metric) and although Tunnel2 is configured to source from the ISP2 interface it has no knowledge of the ISP2 gateway IP.  So is Tunnel2 traffic really using ISP2?  My guess is that it is not and that is why Mr Fanelli from the presentation uses VRFs.   

Setting up the two "front door" VRFs is straightforward but the NAT seems a bit tricky.  I setup two manual PAT rules for internal traffic going out each ISP but I get the warning shown in the OP. 

FWIW, I am currently using SLAs to install default route in global VRF and get internal traffic out but if using path monitoring and PBR is helpful I am certainly willing to switch.

Thanks

Preview file
153 KB
0 Helpful
Customers Also Viewed These Support Documents