Cloud Lab-58: vCloud Director Organizations- “DNAT Use Case – Allow SSH Access from External Network to vApps” (Part 3)

This is part 3 of my post regarding DNAT Use Case,  Allow SSH Access from External Network to vApps. in previous two posts, i have configured DNAT rule to allow SSH Access for my “vApp5-Web1” VM. In today’s post, i will going to show you how to configure DNAT to Allow SSH on my second vApp VM “vApp5-Web2”

LAB-58 TASKS (Part 3)

In this Lab, we will perform following tasks

  1. DNAT Use Case Scenario
  2. Architecture diagram for DNAT Use Case Scenario
  3. Create DNAT Rule For “vApp5-Web2”
  4. Firewall Rule for SSH on “SkyNet Org Network” 
  5. Firewall Rule for SSH on “vApp Network” 
  6. Test SSH Access for “vApp5-Web2”

1-DNAT Use Case Scenario

DNAT rules are applied on the “external interface” and you are use it for the NAT translation. In this Use Case, I am going to add a rule that forwards traffic destined for “TCP port 22 (SSH)” of “vApp5-Web1” and “TCP Port 1010 (SSH)” of “vApp5-Web2” on the “public IP at port 22″ into the “private IP” address of the Redhat Linux Server which are installed on my vApps. if you dont understand, what i am saying. please look into the Scenario diagram which is pretty self explanatory.

2-Architecture diagram for DNAT Use Case Scenario


3-Create DNAT Rule For “vApp5-Web2”

Before start creating DNAT rule. you should know the “vApp5-Web2” Internal and External IP. which you can find in below screen show.

In My Case it is (Internal) & (External)


To create a NAT Rule -> Go to You VSE and Right Click on “SkyNet-Prod-Edge2”-> Choose “Edge Gateway Service”


In NAT Tab -> Choose “Add DNAT”


In Source IP, choose the Same VSE External IP “” but in “Originating Port” this time enter different port for SSH, in my case it is “1010” and Internal IP “” (vApp5-Web2) External IP address. Click “OK”


NOTE: if you choose same “External IP Address” for both of your “vApp5 VM’s” traffic then you have to change your “Source or destination” Port Addresses in order to make something different which let the Firewall to know where traffic will be send according to the origin. If you want you source and destination port will be the same then choose “different External” (Originating) IP.

Verify your Newly Added DNAT rule in Nat tab of VSE -> Click “OK”


4-Firewall Rule for SSH on “SkyNet Org Network” 

Add a “Firewall” Rule. This time choose destination port “1010” for “” IP -> Click “OK”


Verify your added Rule. Click “OK”


5-Firewall Rule for SSH on “vApp Network” 

Go to “vApp5” Firewall and add firewall rule this time choose “vApp2-Web2 NAT IP” as destination-> Click “OK”


Verify your Added firewall rule. Click “OK”


6-Test SSH Access for “vApp5-Web2”

Open the “Putty” Client -> Enter IP “” and Choose SSH option enter Port “1010” -> Click “Open”


If you configuration works then your will prompted for VM Credentials. Enter the credentials. To verify we logged on into the correct vApp VM. Run “ifconfig” shell cmd to check his IP address as shown below.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s