cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2168
Views
5
Helpful
2
Replies

How to Route public traffic from Router to Firewall

astuppad
Level 1
Level 1

Hi All,

 

I need help i am trying to understand this concept how do I send public traffic from router to firewall 

Below is my setup - configured anyconnect in ASA and Access-list 

 

I have attached a digram 

 

Internet -----> Router -----> Firewall ---- LAN ---- this is current setup how do I router public IP traffic from router to firewall 

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello astuppad,

you have not provided enough details in your initial post.

 

From a routing point of view given the network topology:

 

Internet -----> Router -----> Firewall ---- LAN ---

 

>> this is current setup how do I router public IP traffic from router to firewall

 

Standard routing is based on destination address so you need to look at traffic and routing in the following way:

 

Let us suppose that router to firewall subnet is public IP address  1.10.12.0/29 with router using 10.10.12.1/29 and firewall using 10.10.12.2/29

Let us suppose that the LAN IP subnet is a private IP subnet per RFC 1918 like 10.100.200.0/24.

Let us suppose the Internet handoff is a public IP address like 1.160.25.0/29 with 1.160.25.1 the provider router IP address

 

So for traffic coming from the LAN to go to the internet:

a) routing

the firewall needs to a default route like a default static route pointing to the router

route 0.0.0.0 0.0.0.0   10.10.12.1 outside

 

The router needs to have a default route pointing to the internet default gateway on the internet handoff like for example

ip route 0.0.0.0 0.0.0.0 1.160.25.1

 

b) NAT

the private IP subnet cannot go the internet and needs to be translated to a public IP address.

If the link between router and ASA uses a public IP subnet like it is supposed above. The private IP address can use NAT on ASA  (actually PAT) to see source addresses translated to 1.10.12.2 with TCP or UDP port translation (PAT).

 

For the opposite direction:

the ISP router must know of IP subnet 1.10.12.0/29 via a static route pointing to router Internet facing interface 1.160.25.2.

 

the router does not need a static route for private IP subnet 10.100.200.0/24 because it sees all packets with a destination address of 10.10.12.2.

The ASA uses the NAT table to find out which private Inside address the packet should be delivered too.

 

c) configured anyconnect in ASA and Access-list 

 

So you are using a remote VPN solution on ASA the remote users can point to 1.10.12.3 on ASA to be used to terminate the VPN tunnel ( SSL or IPSec).

The purpose of this anyconnect should be to provide remote users access to the LAN IP subnet 10.100.200.0/24.

 

Remote users can access the internet using a split tunnel technique that is to allow them to go to the internet and to use the VPN tunnel only for packets with destination internal LAN 10.100.200.0/24.

 

another option is to have the remote users to exit to the internet using the path ASA---> router --> Internet

 

Again this is decided on the ASA configuration.

 

Hope to help

Giuseppe

 

 

Hi Giuseppe,

 

Yes , this is helpful thanks for making me understand. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: