Configuring a Basic Firewall With A10 Thunder CFW

The A10 Thunder CFW has a large set of technologies and features. This article will describe the most basic configuration of the A10 Networks Data Center Firewall deployed at the edge of a corporate network and connected directly to the Internet. The purpose of this document is to guide the reader in setting up a basic firewall configuration which will securely route internal network traffic to the Internet.

Lab Overview

Basic Firewall Configuration with Thunder CFW

The overview for this example consists of:

The most basic configuration for this network includes the following Thunder CFW technologies:

The following is a complete command line configuration for the A10 Thunder CFW:

class-list inside
  172.20.0.0/16 lsn-lid 1
!

interface ethernet 1
  name External
  enable
  ip address 4.10.10.110 255.255.255.252
  ip nat outside
!

interface ethernet 3
  name CorporateNet
  enable
  ip address 172.16.0.1 255.255.0.0
  ip nat inside
!

ip route 0.0.0.0 /0 4.10.10.109
!

cgnv6 lsn inside source class-list inside
!

cgnv6 nat pool public 4.50.50.2 netmask /32
!

cgnv6 lsn-lid 1
  source-nat-pool public
!

rule-set firewall

  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any
!

fw active-rule-set firewall
!

end

NAT Configuration

The following commands configure Carrier Grade NAT (CGNAT) to translate inside addresses to a public external IP address.  In this case, all traffic will be exposed as a single IP address 4.50.50.2.

NOTE: the Network Interfaces Ethernet 1 and 3 include IP NAT outside and IP NAT inside respectively.
class-list inside
  172.20.0.0/16 lsn-lid 1

cgnv6 lsn inside source class-list inside

cgnv6 nat pool public 4.50.50.2 netmask /32

cgnv6 lsn-lid 1
  source-nat-pool public

Firewall Configuration

The following commands create a single firewall ruleset, which processes outgoing traffic and enables the NAT functionality using CGNAT.

NOTE: This firewall does not restrict outgoing traffic and can be made much more secure.
rule-set firewall

  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any

fw active-rule-set firewall

IP Routing

IP traffic is routed through interface Ethernet 1 directly to the ISP edge router device.

ip route 0.0.0.0 /0 4.10.10.109

Summary

This article described a simple firewall configuration.  The purpose of this is the provide a quick start instruction to setup and troubleshoot a basic configuration.  There are hundreds of features included with the A10 Thunder CFW.  From this basic configuration, the customer can then customize the system, adding features one at a time.

The follow up article starts with the firewall configuration above, and shows how to add an application service to A10 Thunder CFW.


|

July 9, 2018

About Robert Keith

Robert has 30 years of experience in IT technology development and infrastructure management. He was the founder of several infrastructure ventures including Intellivence, MaxSP, Sentrik and most recently was the CTO of Iron Networks. As CTO of Iron Networks in San Jose, CA, he worked directly with many companies in the Silicon Valley to design and architect network, security, and cloud solutions. He worked directly with Microsoft engineering in the design of their cloud architectures including storage, Hyper-V, Systems Center and Virtual Networking. He also worked directly with Hortonworks to design a Hadoop deployment and management system using CentOS and many layered software packages. READ MORE