Publishing an Application Service With A10 Thunder CFW

This article builds upon the article Configuration a Basic Firewall. Please refer to that article first to configure a basic A10 Thunder CFW firewall. The following instructions will extend this configuration, adding the capability of publishing an application to the Internet.

Lab Overview

The configuration described below will include:

• Configuration to allow direct Internet connections to an application TCP service
• Configuration of firewall rules governing incoming and outgoing traffic to the service
• The ability to NAT traffic from private addresses to the Internet

The following is a complete command line configuration for the A10 Thunder CFW:

Application Service Configuration

class-list inside
  172.20.0.0/16 lsn-lid 1
!
interface ethernet 1
  name External
  enable
  ip address 4.10.10.110 255.255.255.252
  ip nat outside
!
interface ethernet 2
  name Internal
  enable
  ip address 4.50.50.1 255.255.255.224
!
interface ethernet 3
  name ManagementNet
  enable
  ip address 172.20.0.1 255.255.0.0
  ip nat inside
!
ip route 0.0.0.0 /0 4.10.10.109
!
cgnv6 lsn inside source class-list inside
!
cgnv6 nat pool public 4.50.50.2 netmask /32
!
cgnv6 lsn-lid 1
  source-nat-pool public
!
rule-set 30
!
rule-set firewall
  rule 20
    action permit forward
    source ipv4-address any
    source zone any
    dest ipv4-address 4.50.50.3/32
    dest zone any
    service tcp dst eq 3389
    service icmp code any-code
  rule 25
    action permit forward
    source ipv4-address 4.50.50.3/32
    source zone any
    dest ipv4-address any
    dest zone any
    service any
  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any
!
fw active-rule-set firewall
!
end

Firewall Configuration

The following rules permit traffic through the firewall.

• Rule 20 allows incoming connections to the server 4.50.50.3 for service port number 3389 (RDP)
• Rule 25 allows return traffic from the server to Internet destinations
• Rule 30 allows IP addresses without a public address to be NAT’ed and route to the Internet

rule-set firewall
  rule 20
    action permit forward
    source ipv4-address any
    source zone any
    dest ipv4-address 4.50.50.3/32
    dest zone any
    service tcp dst eq 3389
    service icmp code any-code
rule 25
    action permit forward
    source ipv4-address 4.50.50.3/32
    source zone any
    dest ipv4-address any
    dest zone any
    service any
  rule 30
    action permit cgnv6
    source ipv4-address any
    source zone any
    dest ipv4-address any
    dest zone any
    service any
fw active-rule-set firewall

IP Routing

IP traffic is routed through interface Ethernet 1 directly to the ISP edge router device.
ip route 0.0.0.0 /0 4.10.10.109

Summary

This article described a simple firewall configuration to publish an application service to clients on the Internet.  The configuration is made as basic as possible and is not a best case configuration.  The purpose of this is the provide a quick start instruction to setup and troubleshoot a basic configuration.  There are hundreds of features included with the A10 Thunder CFW.  From this basic configuration, the customer can then customize the system, adding features one at a time.

Share this post:

Share on X (Twitter)Share on FacebookShare on LinkedInShare on Email

Categories:

Network Management Technical Articles

---

Previous Post

Brief History of Interop and ShowNet

Next Post

Configuring a Basic Firewall With A10 Thunder CFW

---

A10 Staff

|

July 9, 2018