Cloud Lab-58: vCloud Director Organizations- “DNAT Use Case – Allow SSH Access from External Network to vApps” (Part 2)

This is part 2 of my post regarding DNAT Use Case – Allow SSH Access from External Network to vApps. lets see what we will cover in “part 2” .

LAB-58 TASKS (Part 2)

In this Lab, we will perform following tasks

  1. DNAT Use Case Scenario
  2. Architecture diagram for DNAT Use Case Scenario
  3. Firewall Rule for SSH on “SkyNet Org Network” 
  4. Firewall Rule for SSH on “vApp Network” 
  5. Test SSH Access for “vApp5-Web1”

1-DNAT Use Case Scenario

DNAT rules are applied on the “external interface” and you are use it for the NAT translation. In this Use Case, I am going to add a rule that forwards traffic destined for “TCP port 22 (SSH)” of “vApp5-Web1” and “TCP Port 1010 (SSH)” of “vApp5-Web2” on the “public IP at port 22″ into the “private IP” address of the Redhat Linux Server which are installed on my vApps. if you dont understand, what i am saying. please look into the Scenario diagram which is pretty self explanatory.

2-Architecture diagram for DNAT Use Case Scenario

cloudlab58-vCloudOrganization-DNATUsecase1

3-Firewall Rule for SSH on “SkyNet Org Network” 

By default Firewall Action is “deny” on your Organization “vDC Routed Network . We have to add a firewall rule to allow the “SSH traffic” for “vApp5-Web1” VM. 

To do this go to “SkyNet-Prod-Edge2″  Firewall Tab-> Click “Add”

cloudlab58-vCloudOrganization-DNATUsecase14

In Firewall rule , enter Source IP “10.0.150.150” (Mgmt Client External IP) -> Choose Source Port “any”.In Destination Choose “10.0.150.249” (External VSE Sub-Allocation IP)  and Destination port “22” ->Click “OK”

Make Sure “Enabled” check Box is checked.

cloudlab58-vCloudOrganization-DNATUsecase15

Verify your added Firewall Rule -> Click “OK”

cloudlab58-vCloudOrganization-DNATUsecase16

Wait for VSE to Configured the above settings

cloudlab58-vCloudOrganization-DNATUsecase17

Now everything is configured and fine as you can see “Green Check box” in VSE status.

 cloudlab58-vCloudOrganization-DNATUsecase18

4-Firewall Rule for SSH on “vApp Network” 

Now Allow SSH traffic into the “vApp5” VM. To do this go to your vApp “Networking” Tab.

cloudlab58-vCloudOrganization-DNATUsecase19

Right Click on your vApp Network “vApp5-Network-Routed” -> Click “Configure Services”

cloudlab58-vCloudOrganization-DNATUsecase20

You can see the vApp “VM Internal” and “External IP” address mapping in “NAT” tab as shown below.

cloudlab58-vCloudOrganization-DNATUsecase21

In “vApp Firewall” Tab. there is one rule available by default which “allow all outgoing” traffic from vApp5. but in our case “traffic in coming” towards “vApp5 VM”.

To Add a Firewall Rule -> Click “Add”

cloudlab58-vCloudOrganization-DNATUsecase22

Type a “Descriptive name” and choose the Source  IP “10.0.150.150” (Mgmt PC/Client External IP) in Destination Click on the “VM Icon” as highlighted.

cloudlab58-vCloudOrganization-DNATUsecase23

In Popup windows ->choose option “NAT-IP” and Select “vApp5-Web1” VM and his ‘Associated NIC”. In my case, I have only one Ethernet on all of my “vApp5 VM’s” so my option would be “NIC0” which was default-> Click “OK”.

cloudlab58-vCloudOrganization-DNATUsecase24

Verify you rules and make sure destination port is “TCP 22” and action would be “allow” -> Click “OK”

cloudlab58-vCloudOrganization-DNATUsecase25

Now check your newly added rule -> Click “OK”

cloudlab58-vCloudOrganization-DNATUsecase26

As you can your vApp Network “Color changed” into yellow-> Click “Apply” to commit the changed which we have made in firewall.

cloudlab58-vCloudOrganization-DNATUsecase27

After “Apply”. Your vApp Network went back to normal state as shown below.

cloudlab58-vCloudOrganization-DNATUsecase4

4-Test SSH Access for “vApp5-Web1” 

Now Test you’re SSH Connectivity from you Client PC which are in External network. Open the Putty Enter the IP “10.0.150.249”  (vApp5 VSE Mapped IP)-> Enter SSH Port “22” and Select option “SSH” -> Click “Open”

cloudlab58-vCloudOrganization-DNATUsecase28

If everything went fine than you will prompted for “vApp5-Web1” credentials. Enter the credentials. After login to the VM run “ifconfig” to verify VM IP address.

If you note the highlighted settings. We SSH from “10.0.150.150″ (Mgmt Client/PC) and Connected on “10.0.150.249″ (VSE Sub-Allocation IP Pool External IP).

“10.0.150.249” is translated using DNAT rule into “vApp5-Web1” External IP “192.168.33.4”

cloudlab58-vCloudOrganization-DNATUsecase29

Now we have successfully configured DNAT rule to allow SSH Access from External Network to our “vApp5-web1” VM. In next post, i will show you how to configure DNAT to Allow SSH Access for my Second vApp VM “vApp5-web2”.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s