fbpx
Blog

Configuring a Basic Firewall With A10 Thunder CFW

Robert Keith
|
July 9, 2018

A10 Networks Blog

The A10 Thunder Convergent Firewall (CFW) has a large set of technologies and features. This article will describe the most basic configuration of the Thunder CFW deployed at the edge of a corporate network and connected directly to the Internet. The purpose of this document is to guide the reader in setting up a basic firewall configuration which will securely route internal network traffic to the Internet.

Lab Overview

Basic firewall via A10 Thunder CFW
Basic Firewall Configuration with Thunder CFW

The overview for this example consists of:

  • Internal Corporate Network – the private internal network
  • A10 Thunder CFW – the Thunder CFW product using only the data center firewall feature sets
  • ISP Point-to-Point Subnet – a typical network configuration where an ISP will provide access to the Internet via a /31 subnet which supports only 2 nodes.  This link is used only to route traffic between the A10 Thunder CFW and the ISP edge network.
  • Public IP Address Subnet: An IP subnet range of public IP addresses.  This range allows direct access to the Internet without requiring NAT.

The most basic configuration for this network includes the following Thunder CFW technologies:

  • A10 CFW Stateful Firewall feature set
  • A10 Carrier Grade NAT feature
  • Standard IP Routing

The following is a complete command line configuration for the A10 Thunder CFW:

class-list inside
  172.20.0.0/16 lsn-lid 1
!
interface ethernet 1
  name External
  enable
  ip address 4.10.10.110 255.255.255.252
  ip nat outside
!
interface ethernet 3
  name CorporateNet
  enable
  ip address 172.16.0.1 255.255.0.0
  ip nat inside
!
ip route 0.0.0.0 /0 4.10.10.109
!
cgnv6 lsn inside source class-list inside
!
cgnv6 nat pool public 4.50.50.2 netmask /32
!
cgnv6 lsn-lid 1
  source-nat-pool public
!
rule-set firewall
  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any
!
fw active-rule-set firewall
!
end

NAT Configuration

The following commands configure Carrier Grade NAT (CGNAT) to translate inside addresses to a public external IP address.  In this case, all traffic will be exposed as a single IP address 4.50.50.2.

NOTE: the Network Interfaces Ethernet 1 and 3 include IP NAT outside and IP NAT inside respectively.
class-list inside
  172.20.0.0/16 lsn-lid 1
cgnv6 lsn inside source class-list inside
cgnv6 nat pool public 4.50.50.2 netmask /32
cgnv6 lsn-lid 1
  source-nat-pool public

Firewall Configuration

The following commands create a single firewall ruleset, which processes outgoing traffic and enables the NAT functionality using CGNAT.

NOTE: This firewall does not restrict outgoing traffic and can be made much more secure.
rule-set firewall
  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any
fw active-rule-set firewall

IP Routing

IP traffic is routed through interface Ethernet 1 directly to the ISP edge router device.
ip route 0.0.0.0 /0 4.10.10.109

Summary

This article described a simple firewall configuration.  The purpose of this is the provide a quick start instruction to setup and troubleshoot a basic configuration.  There are hundreds of features included with the A10 Thunder CFW.  From this basic configuration, the customer can then customize the system, adding features one at a time.
The follow up article starts with the firewall configuration above, and shows how to add an application service to A10 Thunder CFW.


Robert Keith
|
July 9, 2018

About Robert Keith

Robert has 30 years of experience in IT technology development and infrastructure management. He was the founder of several infrastructure ventures including Intellivence, MaxSP, Sentrik and most recently was the CTO of Iron Networks. As CTO of Iron Networks in San Jose, CA, he worked directly with many companies in the Silicon Valley to design and architect network, security, and cloud solutions. He worked directly with Microsoft engineering in the design of their cloud architectures including storage, Hyper-V, Systems Center and Virtual Networking. He also worked directly with Hortonworks to design a Hadoop deployment and management system using CentOS and many layered software packages. READ MORE

Seeing is believing.
Schedule a live demo today.

Get a Product Demo