FTD dual ISP using FDM

  • Post author:
  • Post category:Cisco / FTD

This post describes how to configure a Cisco Firepower Threat Defence (FTD) Firewall using local/on box management via Firepower Device Manager (FDM) for redundant/dual ISP connections, using the SLA Monitor feature. The SLA Monitor will be configured to monitor the connection/reachability to the Primary ISP connection. In the event of failure, the default route via the Primary ISP connection will be removed and will failover to a backup route.

Configuration

This guide assumes the FTD has basic configuration applied, with working outbound internet connectivity via one ISP connection.

  • Login to the FDM web GUI
  • Click Interfaces
  • Configure the interface for the Primary ISP connection, in this example the interface name is outside_1

  • Configure the interface for the Secondary (Backup) ISP connection, in this example the interface name is outside_2

  • Navigate to Objects > Object Types > SLA Monitors
  • From the Monitor Address drop-down list select the object OutsideIPv4Gateway (this object is pre-configured by the system).
  • From the Target Interface drop-down list select the correct interface to monitor, i.e., outside_1 (GigabitEthernet).

  • Click Ok
  • Navigate to DEVICE, click Routing
  • Under the Static Routing tab, modify the default static route (if the initial configuration used the FDM setup wizard, the route name will be StaticRoute_IPv4).
  • From the SLA Monitor drop-down list, select the SLA object previously created, in this scenario, outside_1_isp

  • Click OK
  • Click the to create an additional static route
  • Name the Static Route appropriately, in this example DefaultViaBackupISP
  • From the Interface drop-down list, select the correct interface
  • Select any-ipv4 as the Networks
  • Click Gateway and click Create new Network Object, this will create an object for the next-hop gateway for ISP2 router.

  • Click Ok to complete, and ensure this new object is selected as the Gateway
  • Define the metric greater than 1 (the metric of the Primary ISP default route), i.e., 200

  • Click Ok to complete

You should have 2 routes via the outside interfaces, in addition to a route for the inside networks.

  • Navigate to Objects > Object Types > Security Zones
  • Ensure that the outside_2 interface is a member of the outside_zone

  • Navigate to Policies > NAT
  • Create a new NAT rule for outbound traffic via ISP2
  • Create an Auto NAT rule
  • Type Dynamic
  • Source Interface is inside
  • Destination Interface is outside_2
  • Original Address is any-ipv4 or a more specific object
  • Translated Address is Interface

  • Click Ok when complete
  • Navigate to Policies > Access Control
  • Add or amend the outbound rule to permit traffic. In this scenario we have one Access Control rule, permitting all outbound traffic.

Testing and Verification

Login to the CLI of the FTD, run the command show route to confirm the current default route. From the screenshot below, we can confirm the default route is via the interface outside_1.

Check the running configuration for the actual routing configuration, use the command show running-config route. From the screenshot below, we can determine the route via the Primary ISP interface outside_1 has a lower metric than the route via the Secondary ISP interface outside_2.

Run the command show sla monitor configuration, this will confirm the configuration of the SLA monitor. From the screenshot below we can confirm that an ICMP echo request is configured with a target of the next-hop router (the ISP router).

Run the command show sla monitor operational-state to confirm the current state of the SLA Monitor. From the screenshot below, “Timeout occurred: FALSE” would indicate that the ICMP echo to the ISP router is replying, so the default route via ISP1 should still be active.

For testing ping through the FTD, to a device on the internet and confirm connectivity.

Disconnect the interface leading to the ISP1 router.

Run the command show sla monitor operational-state to confirm the current state of the SLA Monitor, the Timeout occurred value should now be TRUE. You will have to wait up the value as per the configuration, the default is 60 seconds.

Run the command show route again, the default route should now be via outside_2 interface.

Test outbound connectivity, using ping or via a web browser access the internet.

Run the command show nat detail, find the two NAT rules for outbound internet access. From the screenshot below, we can confirm that both NAT rules (one for each outside interface) has translated hits, confirming that the SLA monitor works as expected and traffic was re-routed out via the backup ISP.

Reconnect the primary ISP interface, once the SLA monitor (ICMP echo) starts responding again the default route via the primary ISP should be re-added to the routing table.

Tags: , ,