Protect two ISP connections with a single Cisco Next-Generation Firewall

Small business network security question:
I have a Cisco ISR 4331 connected to two ISP’s: Cable-based ISP (Spectrum Business) is primary ISP (AD = 1); Cellular (AT&T Business) connection for failover (AD = 2). I have configured the ISR with a Zone-based firewall (Inside, DMZ and Outside zones).
Now want to add a Cisco NGFW to provide intrusion protection, Cisco Talos updates, etc.
The 4G LTE cellular module is installed in the ISR and the cable-based ISP is connected to G0/0/0.
Question: Any suggestions for how to route the inbound and outbound traffic from the cellular connection through a NGFW? In other words, I can physically place the NGFW between the router and the cable-based ISP connection. But I am unsure how to leverage a NGFW to protect the cellular traffic (since the cellular module is installed in the ISR 4331). Is there someway to hairpin the cellular traffic through the NGFW before it reaches or leaves the network (as well as protect data/control/management planes)?

Perhaps I need to use a different solution than an external NGFW?

Any suggestions appreciated!

Hello Steven

In your original topology, the ISR is performing the routing and load balancing and the failover mechanisms for the two links. You can migrate this functionality to the NGFW and have the ISR function simply as the terminating equipment for the cellular link. YOu can then have the NGFW do both inspection as well as load balancing.
Now this is not ideal, but it does use all the components that you mentioned. The reasons it is not ideal include:

  1. Although FWs do have the capability of routing and load balancing, their primary purpose should be security. As a best practice rule, the network design should be such that FWs do only that.
  2. The ISR is a powerful device, and it is being underused in this new role.

Now for a small business, this solution would be fine assuming the traffic volume is limited and the FW is not overwhelmed, even if itis not ideal.

The other option would be to keep the original topology, place the NGFW between the cable connection and the ISR, and then route the cellular traffic in a hairpin through the NGFW as you suggest. This can be done simply by configuring your routing appropriately, or you could use L2TP to keep the cellular traffic at Layer 2 until it reaches the FW where it can then be routed.

Ideally, when you have two or more connections for your business network, you would use SD-WAN. This allows you to consolidate all of your WAN links, and apply both load balancing/redundancy features as well as security and inspection policies for your traffic all from a single location. More about SD-WAN can be found here:

Nevertheless, the ideal solution is not always viable, especially for a small business. However, I hope this gives you some insight and inspiration to determine the best solution for your case. If you have any other questions, feel free to continue the conversation!

I hope this has been helpful!


Exactly the advice I was looking for!! I’m glad you suggested looking into SD-WAN. I would LOVE to implement SD-WAN; but I had not considered it because - at least Cisco’s literature implied - SD-WAN is only designed for enterprise scale situations. Now, with your encouragement, I will go for the SD-WAN option!!

Time to do some homework and decide what Cisco products to acquire…

1 Like

Hello Steven

Great to hear! And it’s good that you’re so excited about it, this passion is something that’s often needed in our line of work. Looking forward to hearing about how you get along in your endeavour.

Glad to be of help!