09-19-2019 12:20 AM
Hi All,
I need help i am trying to understand this concept how do I send public traffic from router to firewall
Below is my setup - configured anyconnect in ASA and Access-list
I have attached a digram
Internet -----> Router -----> Firewall ---- LAN ---- this is current setup how do I router public IP traffic from router to firewall
09-21-2019 07:36 AM
Hello astuppad,
you have not provided enough details in your initial post.
From a routing point of view given the network topology:
Internet -----> Router -----> Firewall ---- LAN ---
>> this is current setup how do I router public IP traffic from router to firewall
Standard routing is based on destination address so you need to look at traffic and routing in the following way:
Let us suppose that router to firewall subnet is public IP address 1.10.12.0/29 with router using 10.10.12.1/29 and firewall using 10.10.12.2/29
Let us suppose that the LAN IP subnet is a private IP subnet per RFC 1918 like 10.100.200.0/24.
Let us suppose the Internet handoff is a public IP address like 1.160.25.0/29 with 1.160.25.1 the provider router IP address
So for traffic coming from the LAN to go to the internet:
a) routing
the firewall needs to a default route like a default static route pointing to the router
route 0.0.0.0 0.0.0.0 10.10.12.1 outside
The router needs to have a default route pointing to the internet default gateway on the internet handoff like for example
ip route 0.0.0.0 0.0.0.0 1.160.25.1
b) NAT
the private IP subnet cannot go the internet and needs to be translated to a public IP address.
If the link between router and ASA uses a public IP subnet like it is supposed above. The private IP address can use NAT on ASA (actually PAT) to see source addresses translated to 1.10.12.2 with TCP or UDP port translation (PAT).
For the opposite direction:
the ISP router must know of IP subnet 1.10.12.0/29 via a static route pointing to router Internet facing interface 1.160.25.2.
the router does not need a static route for private IP subnet 10.100.200.0/24 because it sees all packets with a destination address of 10.10.12.2.
The ASA uses the NAT table to find out which private Inside address the packet should be delivered too.
c) configured anyconnect in ASA and Access-list
So you are using a remote VPN solution on ASA the remote users can point to 1.10.12.3 on ASA to be used to terminate the VPN tunnel ( SSL or IPSec).
The purpose of this anyconnect should be to provide remote users access to the LAN IP subnet 10.100.200.0/24.
Remote users can access the internet using a split tunnel technique that is to allow them to go to the internet and to use the VPN tunnel only for packets with destination internal LAN 10.100.200.0/24.
another option is to have the remote users to exit to the internet using the path ASA---> router --> Internet
Again this is decided on the ASA configuration.
Hope to help
Giuseppe
09-21-2019 08:59 PM
Hi Giuseppe,
Yes , this is helpful thanks for making me understand.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide