Configuring a Basic Firewall With A10 Thunder CFW

The A10 Thunder CFW has a large set of technologies and features. This article will describe the most basic configuration of the A10 Networks Data Center Firewall deployed at the edge of a corporate network and connected directly to the Internet. The purpose of this document is to guide the reader in setting up a basic firewall configuration which will securely route internal network traffic to the Internet.

Lab Overview


Basic Firewall Configuration with Thunder CFW

The overview for this example consists of:

  • Internal Corporate Network – the private internal network
  • A10 Thunder CFW – the Thunder CFW product using only the data center firewall feature sets
  • ISP Point-to-Point Subnet – a typical network configuration where an ISP will provide access to the Internet via a /31 subnet which supports only 2 nodes.  This link is used only to route traffic between the A10 Thunder CFW and the ISP edge network.
  • Public IP Address Subnet: An IP subnet range of public IP addresses.  This range allows direct access to the Internet without requiring NAT.

The most basic configuration for this network includes the following Thunder CFW technologies:

  • A10 CFW Stateful Firewall feature set
  • A10 Carrier Grade NAT feature
  • Standard IP Routing

The following is a complete command line configuration for the A10 Thunder CFW:

class-list inside
  172.20.0.0/16 lsn-lid 1
!

interface ethernet 1
  name External
  enable
  ip address 4.10.10.110 255.255.255.252
  ip nat outside
!

interface ethernet 3
  name CorporateNet
  enable
  ip address 172.16.0.1 255.255.0.0
  ip nat inside
!

ip route 0.0.0.0 /0 4.10.10.109
!

cgnv6 lsn inside source class-list inside
!

cgnv6 nat pool public 4.50.50.2 netmask /32
!

cgnv6 lsn-lid 1
  source-nat-pool public
!

rule-set firewall

  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any
!

fw active-rule-set firewall
!

end

NAT Configuration

The following commands configure Carrier Grade NAT (CGNAT) to translate inside addresses to a public external IP address.  In this case, all traffic will be exposed as a single IP address 4.50.50.2.

NOTE: the Network Interfaces Ethernet 1 and 3 include IP NAT outside and IP NAT inside respectively.
class-list inside
  172.20.0.0/16 lsn-lid 1

cgnv6 lsn inside source class-list inside

cgnv6 nat pool public 4.50.50.2 netmask /32

cgnv6 lsn-lid 1
  source-nat-pool public

Firewall Configuration

The following commands create a single firewall ruleset, which processes outgoing traffic and enables the NAT functionality using CGNAT.

NOTE: This firewall does not restrict outgoing traffic and can be made much more secure.
rule-set firewall

  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any

fw active-rule-set firewall

IP Routing

IP traffic is routed through interface Ethernet 1 directly to the ISP edge router device.

ip route 0.0.0.0 /0 4.10.10.109

Summary

This article described a simple firewall configuration.  The purpose of this is the provide a quick start instruction to setup and troubleshoot a basic configuration.  There are hundreds of features included with the A10 Thunder CFW.  From this basic configuration, the customer can then customize the system, adding features one at a time.

The follow up article starts with the firewall configuration above, and shows how to add an application service to A10 Thunder CFW.

 

 

 


TAGS: