I need help i am trying to understand this concept how do I send public traffic from router to firewall
Below is my setup - configured anyconnect in ASA and Access-list
I have attached a digram
Internet -----> Router -----> Firewall ---- LAN ---- this is current setup how do I router public IP traffic from router to firewall
you have not provided enough details in your initial post.
From a routing point of view given the network topology:
Internet -----> Router -----> Firewall ---- LAN ---
>> this is current setup how do I router public IP traffic from router to firewall
Standard routing is based on destination address so you need to look at traffic and routing in the following way:
Let us suppose that router to firewall subnet is public IP address 126.96.36.199/29 with router using 10.10.12.1/29 and firewall using 10.10.12.2/29
Let us suppose that the LAN IP subnet is a private IP subnet per RFC 1918 like 10.100.200.0/24.
Let us suppose the Internet handoff is a public IP address like 188.8.131.52/29 with 184.108.40.206 the provider router IP address
So for traffic coming from the LAN to go to the internet:
the firewall needs to a default route like a default static route pointing to the router
route 0.0.0.0 0.0.0.0 10.10.12.1 outside
The router needs to have a default route pointing to the internet default gateway on the internet handoff like for example
ip route 0.0.0.0 0.0.0.0 220.127.116.11
the private IP subnet cannot go the internet and needs to be translated to a public IP address.
If the link between router and ASA uses a public IP subnet like it is supposed above. The private IP address can use NAT on ASA (actually PAT) to see source addresses translated to 18.104.22.168 with TCP or UDP port translation (PAT).
For the opposite direction:
the ISP router must know of IP subnet 22.214.171.124/29 via a static route pointing to router Internet facing interface 126.96.36.199.
the router does not need a static route for private IP subnet 10.100.200.0/24 because it sees all packets with a destination address of 10.10.12.2.
The ASA uses the NAT table to find out which private Inside address the packet should be delivered too.
c) configured anyconnect in ASA and Access-list
So you are using a remote VPN solution on ASA the remote users can point to 188.8.131.52 on ASA to be used to terminate the VPN tunnel ( SSL or IPSec).
The purpose of this anyconnect should be to provide remote users access to the LAN IP subnet 10.100.200.0/24.
Remote users can access the internet using a split tunnel technique that is to allow them to go to the internet and to use the VPN tunnel only for packets with destination internal LAN 10.100.200.0/24.
another option is to have the remote users to exit to the internet using the path ASA---> router --> Internet
Again this is decided on the ASA configuration.
Hope to help