Cloud Lab-53: vCloud Director Organizations- “Basic Firewall Configuration for Static Routing Use Case-1”

In previous post, we have configured our firewall default action from “deny” to “allow” for temporary basic to test the communications between vApps and organization network. now we have configured the static routing between the two vApps in  same organization in my previous post.  It’s time to go a little deep and turn on our firewall on both of our vApps and Organization routed network, In other words set the firewalls to its default state.

LAB-53 TASKS 

In this Lab, we will perform following tasks

  1. Set the vApps Firewall status into default.
    • Change the “vApp8” Firewall settings
    • Change the “vApp2” Firewall settings
    • Change the “Org Routed Network” Firewall settings
  2. Configure vApp Firewall Rules
    • Allow ICMP Taffic (from vApp8->vApp2)
    •  Allow ICMP Taffic (from vApp2->vApp8)

1-Set the vApps firewall status into default

Use the below procedure to set the vApps and Organization routed network firewall status into default (deny)

1-Change the vApp8 Firewall settings

Go to your “vApp8” Firewall settings and make sure “enable firewall” checkbox is checked and its default action is set to “deny” as shown below.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall01

2-Change the vApp2 Firewall settings

Similarly, Go to your “vApp2” Firewall settings and make sure “enable firewall” checkbox is checked and its default action is set to “deny” as shown below.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall02

3-Change the Org Routed Network Firewall settings

Similarly, Go to your Organization Routed Network Firewall (SkyNet-Dev-edge) settings and make sure “enable firewall” checkbox is checked and its default action is set to “deny” as shown below.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall03

2-Configure vApp Firewall Rules.

As you knew, we have now firewall enabled on both of vApps as well as organization routed network. Let’s configure to only allow specific traffic, for sake of demonstration, I am going to allow ping (ICMP) traffic from both of our vApps and Organization Routed network firewalls. It help us to test the connectivity between vApps and also you will understand the firewall behavior on both vApp and Organization routed network level. Then later on your will add other type of rule to allow different kind of traffics. ok, let’s get started.

1-Allow ICMP Taffic (from vApp8->vApp2)

Step 1: SkyNet Organization Routed Network Rules

Go to the “SkyNet Organization Routed Network Firewall” (SkyNet-Dev-Edge) Settings and add following firewall rules.

From Source “192.168.42.5” (External IP of vApp8-VM1) towards destination “192.168.15.0/24” (vApp2 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on left corner is checked -> Click “OK”

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall04

Verify your added rule and make sure it should look like as shown below.  Click “OK”

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall05

Step 2: vApp2 Network Rules

Go to “vApp2 Firewall” and add following firewall rule.

From Source “192.168.42.5” (External IP of vApp8-VM1) towards destination “192.168.15.0/24” (vApp2 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on let corner is checked -> Click “OK”

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall06

Your “vApp2” Firewall Setting should look like as shown below review it and Click ”OK”

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall07

Make sure click on “Apply” Button to commit the “vApp2” Firewall Rules.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall08

2-Allow ICMP Taffic (from vApp2->vApp8)

Step 1: SkyNet Organization Routed Network Rules

Go to the “SkyNet Organization Routed Network Firewall” (SkyNet-Dev-Edge) Settings and add following rules.

From Source “192.168.42.3” (External IP of vApp2-Web1) towards destination “192.168.16.0/24” (vApp8 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on let corner is checked -> Click “OK”

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall09

Your “Org Firewall” rule should look like as shown below. Review it and Click “OK”

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall10

Step 2: vApp8 Network Rules

Go to “vApp8 Firewall” and add following firewall rule.

From Source “192.168.42.3” (External IP of vApp2-VM1) towards destination “192.168.16.0/24” (vApp8 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on left corner is checked -> Click “OK”

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall11

Your “vApp8” Firewall Setting should look like as shown below. review it and Click ”OK”

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall12

Make sure click on “Apply” Button to commit the “vApp8” Firewall Rules.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall08

Now you should test your vApps ICMP communication. you will be able to ping on both direction of vApps

Important TIP:

it is very important to always check retain “IP/MAC” checkbox on your “vApp Network” as shown below.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall13

It is because, In default behavior, if you shut down your vApp. than vApp External IP addresses will be released and next time when you power on the vApp you may get different IP address. which will effect your routing and firewall rules and may lead to vApp communication problem. It happens to me once in this lab.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s