Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
216
Views
0
Helpful
0
Replies

Firewall and SD-wan

mikhailov.ivan
Level 1
Level 1

‎04-04-2025 06:33 AM

Hello comrades! Unfortunately I would like to raise the topic about NGFW-SDwan integration one more time, because the dipper I dig in the more confused unga-banga it turns.
The original topic was https://community.cisco.com/t5/sd-wan-and-cloud-networking/sd-wan-design-firewall-integration/m-p/5229044#M9450 and thanks for everyone who helped! But I'm going to ask the same questions and will try to formalize it clearer.

1)The goal is - simple DstNat , the same like everyone has at home\soho installations , I would like to have the Web server 192.168.20.3 in VPN20 available from the internet. That's it. The public port on the FW is 8443, the private port on the server is 443.
How to implement it by the Cisco's SD-wan?

My thoughts: There are 2 docs
https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2024/pdf/TACENT-2014.pdf
and
https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/221907-configure-route-leaking-for-service-chai.html

On the first presentation it suggests using the "DIA via Route Leaking" , but at the same time it suggests route leaking all VPNs into the VPN0(GRT) where we will have the internet access at the same time. Does anyone have a detailed config for this ? Am I correctly understand that Service VPNs (20,30 etc) won't have access to each other ?
And anyway, the FW doesn't know anything about addresses behind the Edge (192.168.x.x). How should I configure the DstNat rule on the FW ? dstNat Public IP:443 to 192.168.20.3:8443 or Public IP to 10.254.1.2(VPN 0 Edge interface)?

I suppose you already see that I got confused.
Again I don't understand how the FW gets information about addresses "behind" the Edge via a single link?
Or should I change the topology and use a VRF-lite link per each VPN(I don't like this idea)?

2)The another aim is particular traffic between VPNs. For instance from the web server 192.168.20.3---->DB server 192.168.30.3 and I would like to inspect this traffic by an AV\IPS. I want this traffic from the VPN20 reaches the Edge , than some service chain rule should be applied and traffic sent into the FW ,inspected and then reaches the VPN30 but over the same phy link. Again the FW doesn't know anything about the service VPNs. Should I plug all VPNs directly to the FW in this case ?

Terms: we can't use sub.interfaces (vlan), only L3(cloud platform limitation).

Schemas are in attach, and it's the DIA case.

Thanks for your help in advance, I appreciate it!

Preview file
103 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents