My customer has 2 router in front of ASA and each router connects to a separate ISP. Each router has its own interface on Firewall and each interface belong to diff. public IP . Both the routers are running eBGP with their respective ISP’s. He's going to introduce an iBGP link between those routers.
He has IP SLA Configured for outbound Traffic traversing across Firewall (with nat and global), the issue us that do he need to mirror all firewall rules for each ISP on the firewall after he puts up BGP
2 ISP have 2 interface on FW, one is outside (ISP1) other is backup (ISP2)
Consider he has a static(inside,outside) for ISP1 , do he need to go for a similar static for other ISP as well i.e static(inside,backup) too ?Also do he need to have a replica of access-list with the ISP2 Public ip addresses as destination in them and applied to the backup interface ?
Yes, you would also need to configure "static (inside,backup)" for ISP2 connection, and you would also need to apply access-list on the backup interface for inbound connection.
Do you own the public ip range, or it has been assigned by each ISP and you have 2 different sets of public ip range that you assign to each ISP connection to NAT?
If you NAT using your own public ip range, then I guess the ACL will always refer to the same public ip address, so you don't need to reconfigure the ACL. You can just assign the same ACL to the backup interface.
If however, you are NATing to different range of public IP for each ISP, then you would need to manually configure the corresponding public ip ACL on ISP2 and apply it on the backup interface.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :