Publishing an Application Service With A10 Thunder CFW

This article builds upon the article Configuration a Basic Firewall. Please refer to that article first to configure a basic A10 Thunder CFW firewall. The following instructions will extend this configuration, adding the capability of publishing an application to the Internet.

Lab Overview

Application Service with the Thunder CFW

The configuration described below will include:

The following is a complete command line configuration for the A10 Thunder CFW:

Application Service Configuration

class-list inside
  172.20.0.0/16 lsn-lid 1
!

interface ethernet 1
  name External
  enable
  ip address 4.10.10.110 255.255.255.252
  ip nat outside
!

interface ethernet 2
  name Internal
  enable
  ip address 4.50.50.1 255.255.255.224
!

interface ethernet 3
  name ManagementNet
  enable
  ip address 172.20.0.1 255.255.0.0
  ip nat inside
!

ip route 0.0.0.0 /0 4.10.10.109
!

cgnv6 lsn inside source class-list inside
!

cgnv6 nat pool public 4.50.50.2 netmask /32
!

cgnv6 lsn-lid 1
  source-nat-pool public
!

rule-set 30
!

rule-set firewall
  rule 20
    action permit forward
    source ipv4-address any
    source zone any
    dest ipv4-address 4.50.50.3/32
    dest zone any
    service tcp dst eq 3389
    service icmp code any-code

  rule 25
    action permit forward
    source ipv4-address 4.50.50.3/32
    source zone any
    dest ipv4-address any
    dest zone any
    service any

  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any
!

fw active-rule-set firewall
!

end

Firewall Configuration

The following rules permit traffic through the firewall.

NOTE: This firewall can be made much more restrictive and secure using additional firewall features provided by the A10 Thunder CFW.
rule-set firewall

  rule 20
    action permit forward
    source ipv4-address any
    source zone any
    dest ipv4-address 4.50.50.3/32
    dest zone any
    service tcp dst eq 3389
    service icmp code any-code

rule 25
    action permit forward
    source ipv4-address 4.50.50.3/32
    source zone any
    dest ipv4-address any
    dest zone any
    service any

  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any

fw active-rule-set firewall

IP Routing

IP traffic is routed through interface Ethernet 1 directly to the ISP edge router device.

ip route 0.0.0.0 /0 4.10.10.109

Summary

This article described a simple firewall configuration to publish an application service to clients on the Internet.  The configuration is made as basic as possible and is not a best case configuration.  The purpose of this is the provide a quick start instruction to setup and troubleshoot a basic configuration.  There are hundreds of features included with the A10 Thunder CFW.  From this basic configuration, the customer can then customize the system, adding features one at a time.


|

July 9, 2018

About Robert Keith

Robert has 30 years of experience in IT technology development and infrastructure management. He was the founder of several infrastructure ventures including Intellivence, MaxSP, Sentrik and most recently was the CTO of Iron Networks. As CTO of Iron Networks in San Jose, CA, he worked directly with many companies in the Silicon Valley to design and architect network, security, and cloud solutions. He worked directly with Microsoft engineering in the design of their cloud architectures including storage, Hyper-V, Systems Center and Virtual Networking. He also worked directly with Hortonworks to design a Hadoop deployment and management system using CentOS and many layered software packages. READ MORE