We have BGP peering in place on our firepower device with two ISPs both advertising the same /24 network. The BGP is configured on the firewall and we do not have an upstream router. Since the firewall is a stateful device we cannot have traffic coming in one ISP and going out the other. We have used a combination of AS path prepending and BGP communities to force all traffic to/from one ISP or the other.
When we perform a test failover, everything works properly with the BGP path selection, but no traffic flows to our servers until we update the NAT statements to go to ISP1 vs ISP2. The fmc will only allow us to NAT to an individual interface (ISP1 or ISP2) and we cannot NAT to an interface group. I am wondering if there is a workaround for this so everything fails over automatically if one ISP goes down. Ideally i would like to avoid having to add a router to our topology.
No comments:
Post a Comment