Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
957
Views
0
Helpful
3
Replies

SD-WAN Viptella and Firewall

Go to solution
nwekechampion
Level 3
Level 3

‎04-03-2023 09:04 PM

Hi All,

Just wanting to know if it is possible to deploy the Vedges with a firewall behind them?

Has anyone done this before ?

Are there any caveats or issues with this deployment type?

Basically looking to use a Palo behind the Vedges.

Appreciate some feedback.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanan Huseynli
VIP
VIP

‎04-04-2023 02:46 AM

Hi,

firewall behind router or router behind firewall?

If firewall behind router, it works as normal - no caveats actually (just allow respective user traffic flows on firewall).
But if router behind firewall, then you should allow respective ports. Plus, if router in configuration has private IP, but it is then mapped to public IP (through NAT), then you should have either 1:1 NAT or at least one router with 1:1 or direct public IP.

If two site routers both are behind firewall and they gt public IP through dynamic NAT/PAT, then ipsec and bfd don't come up between these sites.

See: Firewall Port Considerations section and NAT from CVD

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#NAT
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#FirewallPortConsiderations

 

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Kanan Huseynli
VIP
VIP

‎04-04-2023 02:46 AM

Hi,

firewall behind router or router behind firewall?

If firewall behind router, it works as normal - no caveats actually (just allow respective user traffic flows on firewall).
But if router behind firewall, then you should allow respective ports. Plus, if router in configuration has private IP, but it is then mapped to public IP (through NAT), then you should have either 1:1 NAT or at least one router with 1:1 or direct public IP.

If two site routers both are behind firewall and they gt public IP through dynamic NAT/PAT, then ipsec and bfd don't come up between these sites.

See: Firewall Port Considerations section and NAT from CVD

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#NAT
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#FirewallPortConsiderations

 

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Go to solution
nwekechampion
Level 3
Level 3
In response to Kanan Huseynli

‎04-04-2023 11:36 PM

Thanks for the docs as well. will have a read.

0 Helpful

Go to solution
nwekechampion
Level 3
Level 3

‎04-04-2023 11:35 PM

Many thanks @Kanan Huseynli 

0 Helpful
Customers Also Viewed These Support Documents