cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
554
Views
1
Helpful
5
Replies

Consultation on Internet Firewall Policy in SDWAN Network

In the sdwan network, in addition to allowing the edge and controller communication ports to establish tunnels on the Internet firewall, do you also need to allow the client ports on the user's LAN side, such as FTP client ports?

1 Accepted Solution

Accepted Solutions

mohspate
Cisco Employee
Cisco Employee

Hi, 

The previous post noted that the routers at SITE A and SITE B will create an SD-WAN IPsec tunnel automatically. In addition, the Cisco SD-WAN router must establish DTLS or TLS tunnels with SD-WAN controllers on designated ports specified in the following link this needs to be allowed on the firewall in front SITE A router.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/configure-security-param.html

If you need to manage traffic between two SD-WAN routers, you can activate ZBFW or enterprise firewall to regulate traffic that moves through the same VPN.

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-firewall-compliance-deploy-guide-2020sep.pdf

Br,

Mohseen

 

View solution in original post

5 Replies 5

Hi @haininghuang3185 

 It will depend on where to where the client is communicating and if there is a firewall in between. SDWAN router have built in firewall ZBFW but you need to configure it. By default they will not block the traffic. 

The following is the topology diagram. I want to know whether the Internet FW needs to pass through the address of the user client on the LAN side. Because I checked the information, the SDWAN is encrypted by IPsec. The SDWAN router at the other end is only decrypted, so it should be impossible for the Internet FW to decrypt the data packets, so is it only necessary to open the communication port between the Edge and the controller on the Internet FW?

haininghuang3185_0-1691061824505.png

 

 Yes, this firewall will see only encrypted packets. As per my knowledge, it is not necessary to open the communication on the Edge. The communication between application from Users should work without problem unless some Access List was applied. 

  There is a infinitude of possibilities but by default the cEdge should only route traffic based on layer3 information and the encrypted tunnel is only a secure path to build the control plane.  

 Once the tunnel is stablished,  you should be able to pass traffic over it not having to permit or deny if you dont want to. 

 As I mentioned before, cEdge comes with built-in firewall but you need to configure it previously. 

Hi,

1) Site A router TLOC interface should reach controllers => you should allow this traffic

2) Site A router  TLOC interface should reach Site B router TLOC interface => you should allow this traffic

3) Where do you configure NAT for SiteA users for internet access? If you do NAT on router and user uses router IP for internet => you should allow this traffic

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

mohspate
Cisco Employee
Cisco Employee

Hi, 

The previous post noted that the routers at SITE A and SITE B will create an SD-WAN IPsec tunnel automatically. In addition, the Cisco SD-WAN router must establish DTLS or TLS tunnels with SD-WAN controllers on designated ports specified in the following link this needs to be allowed on the firewall in front SITE A router.

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/configure-security-param.html

If you need to manage traffic between two SD-WAN routers, you can activate ZBFW or enterprise firewall to regulate traffic that moves through the same VPN.

https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-firewall-compliance-deploy-guide-2020sep.pdf

Br,

Mohseen

 

Review Cisco Networking for a $25 gift card