Cloud Lab-60: vCloud Director Organizations- “SNAT/DNAT Use Case – HTTP Access From External to vApp VM’s”

In previous posts, i have configured both DNAT and SNAT individually and discuss their use cases.In this post, i am going to show you, how we can use both DNAT/SNAT in one Usecase. which is to publish the Web Server VM to access from external Network. To achieve this we have to configure both types of NAT Rules (SNAT/DNAT).

LAB-60 TASKS 

In this Lab, we will perform following tasks

  1. DNAT/SNAT Use Case Scenario
  2. Architecture diagram for SNAT/DNAT Use Case Scenario
  3. Test Access before Configuration 
  4. Configure WebServer (http) Access
    • Add SNAT Rule on “SkyNet Org Network”
    • Create DNAT Rule on “SkyNet Org Network”
  5. Firewall Configuration on “SkyNet Org Network”
  6. Firewall Configuration on “vApp Network”
  7. Test the Web Server Access

1-DNAT/SNAT Use Case Scenario

In scenario, I am using “10.0.150.248” IP as an “external IP address” for “web Server” which mapped to Organization Internal Network where web Server is hosted. In this use case, I am trying to access the web server from my mgmt. server. which is connected to external Network.

2- Architecture diagram for DNAT/SNAT Case Scenario

cloudlab60-vCloudOrganization-SNATandDNATUsecase1

3-Test Access Before Configuration

To test the webserver connectivity before configuration.you may use following methods

Test-1: Open the command prompt and telnet the “10.0.150.248” on “port 80” and I did not get any response which was correct as shown below.

cloudlab60-vCloudOrganization-SNATandDNATUsecase2

Test-2: I have already created a static test page on apache web server to test the web server connectivity. Open the browser and point to your web server URL through his external IP and as you can see below there is connection time out error means no response from web server.

cloudlab60-vCloudOrganization-SNATandDNATUsecase3

4-Configure WebServer (http) Access

To configure the Web Server Access. first go to your Organization VSE Firewall -> Right Click on VSE Firewall ”SkyNet-Prod-Edge2” -> Choose “Properties”

cloudlab58-vCloudOrganization-DNATUsecase8

Step 1: Add SNAT Rule on “SkyNet Org Network”

In NAT Tab -> Choose “Add SNAT”

cloudlab59-vCloudOrganization-SNATUsecase2

Choose an “external network” and define your “internal and external sources”. In my case I choose my organization network IP range (10.0.33.0/24) where my web server resides as source. Than it will be translated into “10.0.150.248” (VSE Sub Allocation Pool IP) as a destination- > Click “OK”

cloudlab59-vCloudOrganization-SNATUsecase3

Verify your SNAT Rule -> Click “OK”

cloudlab59-vCloudOrganization-SNATUsecase4

Step 2: Create DNAT Rule on “SkyNet Org Network”

Next create a DNAT Rule. It will translate our web Server external IP into Web server VM internal IP on port 80 -> Click “OK”

cloudlab60-vCloudOrganization-SNATandDNATUsecase4

Verify your DNAT Rule -> Click “OK”

cloudlab60-vCloudOrganization-SNATandDNATUsecase5

5-Firewall Configuration on “SkyNet Org Network”

Now allow http traffic from our Organization Firewall “SkyNet-Prod-Edg2”. By default it will block everything. To add a firewall rule Click on “Add” button from “firewall” tab.

cloudlab60-vCloudOrganization-SNATandDNATUsecase6

In rule, choose “10.0.150.150” (Mgmt Server/Client) as Source and “10.0.150.248” (Web Server External IP) with port “TCP 80” as destination. Also make sure action will be “allow” and “enable” check is checked -> Click “OK”

cloudlab60-vCloudOrganization-SNATandDNATUsecase7

Verify your added Firewall rule -> Click “OK”

cloudlab60-vCloudOrganization-SNATandDNATUsecase8

Wait for Organization Network firewall to Configure.

cloudlab58-vCloudOrganization-DNATUsecase17

Now everything is configured and fine as you can see “Green Check box” in VSE status.

 cloudlab58-vCloudOrganization-DNATUsecase18

6-Firewall Configuration on “vApp Network”

Once organization firewall configured.go to your vApp where web server VM is hosted. In my case it is on “vApp5”. Click on “vApp5 Networking” Tab

cloudlab58-vCloudOrganization-DNATUsecase19

Right Click on your vApp Network “vApp5-Network-Routed” -> Click “Configure Services”

cloudlab58-vCloudOrganization-DNATUsecase20

In firewall tab-> Click on “Add” button to add a rule.

cloudlab60-vCloudOrganization-SNATandDNATUsecase9

In vApp5 firewall rule. Use “10.0.150.150” (Mgmt Servre/PC) as source and in destination choose “vApp5-Web1 NAT IP” with “TCP port 80”-> Click “OK”

cloudlab60-vCloudOrganization-SNATandDNATUsecase10

Verify you added firewall rule -> Click “OK”

cloudlab60-vCloudOrganization-SNATandDNATUsecase11

7-Test the Web Server Access

open the command prompt from “mgmt. server” as we did at start and “telnet” into web server “external IP port 80” as shown below

cloudlab60-vCloudOrganization-SNATandDNATUsecase12

If everything is configured correctly then you are able to telnet on the “webserver port 80” as shown below.

cloudlab60-vCloudOrganization-SNATandDNATUsecase13

Next open the “web Server” in “mgmt. server” browser and it should work as you can see below.we got our test page.

cloudlab60-vCloudOrganization-SNATandDNATUsecase14

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s