Publishing an Application Service With A10 Thunder CFW

This article builds upon the article Configuration a Basic Firewall. Please refer to that article first to configure a basic A10 Thunder CFW firewall. The following instructions will extend this configuration, adding the capability of publishing an application to the Internet.

Lab Overview


Application Service with the Thunder CFW

The configuration described below will include:

  • Configuration to allow direct Internet connections to an application TCP service
  • Configuration of firewall rules governing incoming and outgoing traffic to the service
  • The ability to NAT traffic from private addresses to the Internet

The following is a complete command line configuration for the A10 Thunder CFW:

Application Service Configuration

class-list inside
  172.20.0.0/16 lsn-lid 1
!

interface ethernet 1
  name External
  enable
  ip address 4.10.10.110 255.255.255.252
  ip nat outside
!

interface ethernet 2
  name Internal
  enable
  ip address 4.50.50.1 255.255.255.224
!

interface ethernet 3
  name ManagementNet
  enable
  ip address 172.20.0.1 255.255.0.0
  ip nat inside
!

ip route 0.0.0.0 /0 4.10.10.109
!

cgnv6 lsn inside source class-list inside
!

cgnv6 nat pool public 4.50.50.2 netmask /32
!

cgnv6 lsn-lid 1
  source-nat-pool public
!

rule-set 30
!

rule-set firewall
  rule 20
    action permit forward
    source ipv4-address any
    source zone any
    dest ipv4-address 4.50.50.3/32
    dest zone any
    service tcp dst eq 3389
    service icmp code any-code

  rule 25
    action permit forward
    source ipv4-address 4.50.50.3/32
    source zone any
    dest ipv4-address any
    dest zone any
    service any

  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any
!

fw active-rule-set firewall
!

end

Firewall Configuration

The following rules permit traffic through the firewall.

  • Rule 20 allows incoming connections to the server 4.50.50.3 for service port number 3389 (RDP)
  • Rule 25 allows return traffic from the server to Internet destinations
  • Rule 30 allows IP addresses without a public address to be NAT’ed and route to the Internet
NOTE: This firewall can be made much more restrictive and secure using additional firewall features provided by the A10 Thunder CFW.
rule-set firewall

  rule 20
    action permit forward
    source ipv4-address any
    source zone any
    dest ipv4-address 4.50.50.3/32
    dest zone any
    service tcp dst eq 3389
    service icmp code any-code

rule 25
    action permit forward
    source ipv4-address 4.50.50.3/32
    source zone any
    dest ipv4-address any
    dest zone any
    service any

  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any

fw active-rule-set firewall

IP Routing

IP traffic is routed through interface Ethernet 1 directly to the ISP edge router device.

ip route 0.0.0.0 /0 4.10.10.109

Summary

This article described a simple firewall configuration to publish an application service to clients on the Internet.  The configuration is made as basic as possible and is not a best case configuration.  The purpose of this is the provide a quick start instruction to setup and troubleshoot a basic configuration.  There are hundreds of features included with the A10 Thunder CFW.  From this basic configuration, the customer can then customize the system, adding features one at a time.

 

 

 


TAGS: