Cloud Lab-55: vCloud Director Organizations- “Basic Firewall Configuration for Static Routing Use Case-2”

In previous post, we have configured our firewall default action from “deny” to “allow” for temporary basic to test the communications between vApps and Organization Routed Networks. now we have configured the static routing between the two vApps in  different organization in my previous post.  It’s time to go a little deep and turn on our firewall on both of our vApps and Organization routed networks, In other words set the firewalls to its default state.

LAB-55 TASKS 

In this Lab, we will perform following tasks

  1. Set the vApps & Org Firewall status into default.
    • Change the “vApp8” Firewall settings
    • Change the “vApp9” Firewall settings
    • Change the “SkyNet Org Routed Network” Firewall settings
    • Change the “HITech Org Routed Network” Firewall settings
  2. Configure vApp Firewall Rules
    • Allow ICMP Taffic (from vApp9->vApp8)
    •  Allow ICMP Taffic (from vApp8->vApp9)

1-Set the vApps & Org firewall status into default

Use the below procedure to set the vApps and Organization routed network firewall status into default (deny)

1-Change the vApp8 Firewall settings

Go to your “vApp8” Firewall settings and make sure “enable firewall” checkbox is checked and its default action is set to “deny” as shown below.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall01

2-Change the vApp9 Firewall settings

Similarly, Go to your “vApp9” Firewall settings and make sure “enable firewall” checkbox is checked and its default action is set to “deny” as shown below.

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall01

3-Change the SkyNet Org Routed Network Firewall settings

Similarly, Go to your SkyNet Organization Routed Network Firewall (SkyNet-Dev-edge) settings and make sure “enable firewall” checkbox is checked and its default action is set to “deny” as shown below.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall03

4-Change the HITech Org Routed Network Firewall settings

Similarly, Go to your HITech Organization Routed Network Firewall (HITech-Prod-edge) settings and make sure “enable firewall” checkbox is checked and its default action is set to “deny” as shown below.

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall02

2-Configure vApp Firewall Rules.

As you knew, we have now firewall enabled on both of vApps as well as organization routed network. Let’s configure to only allow specific traffic, for sake of demonstration, I am going to allow ping (ICMP) traffic from both of our vApps and Organization Routed network firewalls. It help us to test the connectivity between vApps in different organizations and also you will understand the firewall behavior on both vApp and Organization routed network level. Then later on your will add other type of rule to allow different kind of traffics. ok, let’s get started.

1-Allow ICMP Taffic (from vApp9->vApp8)

Step 1:HITech Organization Routed Network Rules

Go to the “HITech Organization Routed Network Firewall” (HITech-Prod-Edge) Settings and add following rules.

From Source “192.168.63.3” (External IP of vApp9-VM1) towards destination “192.168.16.0/24” (vApp8 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on let corner is checked -> Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall03

Verify your added rule and make sure it should look like as shown below.  Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall04

Step 2: SkyNet Organization Routed Network Rules

Go to the “Skynet Organization Routed Network Firewall” (SkyNet-Dev-Edge) Settings and add following rules.

From Source “192.168.63.3” (External IP of vApp9-VM1) towards destination “192.168.16.0/24” (vApp8 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on let corner is checked -> Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall06

Verify your added rule and make sure it should look like as shown below.  Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall05

Step 3: vApp8 Network Rules

Go to “vApp8 Firewall” and add following firewall rule.

From Source “192.168.63.3” (External IP of vApp9-VM1) towards destination “192.168.16.0/24” (vApp8 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on let corner is checked -> Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall06

Verify your added rule and make sure it should look like as shown below.  Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall07

Make sure click on “Apply” Button to commit the “vApp8” Firewall Rules.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall08

2-Allow ICMP Taffic (from vApp8->vApp9)

Step 1:HITech Organization Routed Network Rules

In First Step go to the “HITech Organization Routed Network Firewall” (HITech-Prod-Edge) Settings and add following rules.

From Source “192.168.42.5” (External IP of vApp8-VM1) towards destination “192.168.21.0/24” (vApp9 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on let corner is checked -> Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall08

Verify your added rule and make sure it should look like as shown below.  Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall09

Step 2: SkyNet Organization Routed Network Rules

Go to the “Skynet Organization Routed Network Firewall” (SkyNet-Dev-Edge) Settings and add following rules.

From Source “192.168.42.5” (External IP of vApp8-VM1) towards destination “192.168.21.0/24” (vApp9 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on let corner is checked -> Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall11

Verify your added rule and make sure it should look like as shown below.  Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall10

Step 3: vApp9 Network Rules

Go to “vApp9 Firewall” and add following firewall rule.

From Source “192.168.42.5” (External IP of vApp8-VM1) towards destination “192.168.21.0/24” (vApp9 Network Range) ->Choose Protocol “ICMP” -> make sure “Enabled Check box” on let corner is checked -> Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall08

Verify your added rule and make sure it should look like as shown below.  Click “OK”

cloudlab55-vCloudOrganization-Staticroutingbatweendifforgfirewall12

Make sure click on “Apply” Button to commit the “vApp9” Firewall Rules.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall08

Important TIP:

it is very important to always check retain “IP/MAC” checkbox on your “vApp Network” as shown below.

cloudlab53-vCloudOrganization-Staticroutingbatweensameorgfirewall13

It is because, In default behavior, if you shut down your vApp. than vApp External IP addresses will be released and next time when you power on the vApp you may get different IP address. which will effect your routing and firewall rules and may lead to vApp communication problem. It happens to me once in this lab.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s