vEdge Router Behind Firewall

techno.it · ‎11-06-2019

Hello If I have broadband circuit ( dynamic IP) directly connected to a Firewall/FTD, Can I have vEdge enabled router behind firewall ?

Secondly, on other hand I have separate internet firewall. How I can route SaaS application from LAN segment to go via SD-WAN vEdge router and send normal internet traffic via Internet Firewall. Any suggestions ?

HashamM · ‎11-07-2019

WAN Edge devices can be deployed behind the NAT. The vBond controller performs the NAT traversal function, which identifies the Private and Public IP of the Edge device behind NAT and then share that information with Edge device itself and the other controllers. Here is more detail

https://sdwan-docs.cisco.com/Product_Documentation/Getting_Started/System_Overview/Components_of_the_Viptela_SEN/01Components_of_the_Viptela_Solution#vBond_Orchestrator

For the second question, you would have to know SaaS application prefixes to statically route route it to Edge device for Cloud onRamp. However, typically, you would have this topology LAN -> Edge -> FW. All your internet traffic can use Edge Transport of internet i.e connected to FW. Edge device performs DPI to identify SaaS application and then monitors the service with Cloud onRamp feature. The normal internet traffic will use same transport to FW. See details here

https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.3/Network_Optimization/Using_Cloud_OnRamp_for_SaaS