Cloud Lab-58: vCloud Director Organizations- “DNAT Use Case – Allow SSH Access from External Network to vApps” (Part 2)

This is part 2 of my post regarding DNAT Use Case – Allow SSH Access from External Network to vApps. lets see what we will cover in “part 2” .

LAB-58 TASKS (Part 2)

In this Lab, we will perform following tasks

  1. DNAT Use Case Scenario
  2. Architecture diagram for DNAT Use Case Scenario
  3. Firewall Rule for SSH on “SkyNet Org Network” 
  4. Firewall Rule for SSH on “vApp Network” 
  5. Test SSH Access for “vApp5-Web1”

1-DNAT Use Case Scenario

DNAT rules are applied on the “external interface” and you are use it for the NAT translation. In this Use Case, I am going to add a rule that forwards traffic destined for “TCP port 22 (SSH)” of “vApp5-Web1” and “TCP Port 1010 (SSH)” of “vApp5-Web2” on the “public IP at port 22″ into the “private IP” address of the Redhat Linux Server which are installed on my vApps. if you dont understand, what i am saying. please look into the Scenario diagram which is pretty self explanatory.

2-Architecture diagram for DNAT Use Case Scenario


3-Firewall Rule for SSH on “SkyNet Org Network” 

By default Firewall Action is “deny” on your Organization “vDC Routed Network . We have to add a firewall rule to allow the “SSH traffic” for “vApp5-Web1” VM. 

To do this go to “SkyNet-Prod-Edge2″  Firewall Tab-> Click “Add”


In Firewall rule , enter Source IP “” (Mgmt Client External IP) -> Choose Source Port “any”.In Destination Choose “” (External VSE Sub-Allocation IP)  and Destination port “22” ->Click “OK”

Make Sure “Enabled” check Box is checked.


Verify your added Firewall Rule -> Click “OK”


Wait for VSE to Configured the above settings


Now everything is configured and fine as you can see “Green Check box” in VSE status.


4-Firewall Rule for SSH on “vApp Network” 

Now Allow SSH traffic into the “vApp5” VM. To do this go to your vApp “Networking” Tab.


Right Click on your vApp Network “vApp5-Network-Routed” -> Click “Configure Services”


You can see the vApp “VM Internal” and “External IP” address mapping in “NAT” tab as shown below.


In “vApp Firewall” Tab. there is one rule available by default which “allow all outgoing” traffic from vApp5. but in our case “traffic in coming” towards “vApp5 VM”.

To Add a Firewall Rule -> Click “Add”


Type a “Descriptive name” and choose the Source  IP “” (Mgmt PC/Client External IP) in Destination Click on the “VM Icon” as highlighted.


In Popup windows ->choose option “NAT-IP” and Select “vApp5-Web1” VM and his ‘Associated NIC”. In my case, I have only one Ethernet on all of my “vApp5 VM’s” so my option would be “NIC0” which was default-> Click “OK”.


Verify you rules and make sure destination port is “TCP 22” and action would be “allow” -> Click “OK”


Now check your newly added rule -> Click “OK”


As you can your vApp Network “Color changed” into yellow-> Click “Apply” to commit the changed which we have made in firewall.


After “Apply”. Your vApp Network went back to normal state as shown below.


4-Test SSH Access for “vApp5-Web1” 

Now Test you’re SSH Connectivity from you Client PC which are in External network. Open the Putty Enter the IP “”  (vApp5 VSE Mapped IP)-> Enter SSH Port “22” and Select option “SSH” -> Click “Open”


If everything went fine than you will prompted for “vApp5-Web1” credentials. Enter the credentials. After login to the VM run “ifconfig” to verify VM IP address.

If you note the highlighted settings. We SSH from “″ (Mgmt Client/PC) and Connected on “″ (VSE Sub-Allocation IP Pool External IP).

“” is translated using DNAT rule into “vApp5-Web1” External IP “”


Now we have successfully configured DNAT rule to allow SSH Access from External Network to our “vApp5-web1” VM. In next post, i will show you how to configure DNAT to Allow SSH Access for my Second vApp VM “vApp5-web2”.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s