-----Original Message-----
From: Francois Gaudreault [mailto:fgaudrea...@cloudops.com]
Sent: Wednesday, 22 May 2013 8:17 PM
To: <users@cloudstack.apache.org>
Cc: Jayapal Reddy Uradi
Subject: Re: Juniper SRX Configuration
Hi,
In network offering if you select ZONE wide source NAT then source rules
are not configured by cloudstack. Admin/User has to manually select source
NAT ip and configure the source NAT rules.
Ok, thanks for the precision.
When you configure firewall rules, firewall filter rules on srx get configured.
Please try configuring tcp/udp rules. For ICMP there is bug and the fix will
be committed soon.
I just tried, and it's not working. First, when I acquire another IP, the new
IP
is not even configured on the SRX. So even if I create firewall rules, they are
not created/applied. Anyway, I tried using TCP. I looked in the logs, and
CloudStack won't even trigger the SRX code.
Thanks!
Thanks,
Jayapal
On 21-May-2013, at 11:48 PM, Francois Gaudreault
<fgaudrea...@cloudops.com>
wrote:
Jayapal,
I added the SRX now, I can get the basic stuff working (private interface
created), but it looks like the source nat rules are not being created. Also,
when I create firewall rules, they are not being created on the SRX. However,
I can get the destination nat (port-forwarding) working. Any ideas?
Thanks!
On 2013-05-14 1:15 PM, Jayapal Reddy Uradi wrote:
For private interface just enable the vlan tagging. when guest network is
created cloudstack will configure the interface with vlan and ip.
Minimal config is.
1. set management interface with ip and use this ip for while add ing srx
into cloudstack.
2. enable vlan tagging on private interface 3. set the cloudstack
public vlan to the srx public interface.
4. add rules to allow traffic from trust to untrust zone.
5. set appropriate routes for the trust and untrust subnets
By default guest traffic trust (guest) to untrust (public) is blocked on
latest master. Add egress rules once the guest network is created.
Let me know if see any issues.
Thanks,
Jayapal
On 14-May-2013, at 10:33 PM, Francois Gaudreault
<fgaudrea...@cloudops.com>
wrote:
Hi Jayapal,
To add SRX device into cloudstack, you need to preconfigure the
srx. SRX needs 3 interfaces to add into cloudstack 1. management
interface 2. private/guest network interface 3.public interace.
Ok. It confirms what I understood :)
Please find the below config. It is bit old cloudstak config on SRX, but it
will give you idea.
You need to update firewall filter trust/untrust.
Which parts actually need to be there for the per-previsioning? I guess
some part of that config example has been done by CloudStack... (ie. Do we
need to create guest vlan interfaces on the private interface right at the
beginning?) In other words, what's the minimal config needed before adding
the SRX to CS?
Thanks!
set version 10.4R6.5
set system time-zone Asia/Calcutta set system root-authentication
encrypted-password "$1$ucpHjRfH$dNkhOuzKXJxrpAtewvTu.1"
set system name-server 208.67.222.222 set system name-server
208.67.220.220 set system name-server 10.147.28.6 set system
name-server 4.2.2.2 set system services ssh set system services
telnet set system services xnm-clear-text set system services
web-management http interface vlan.0 set system services
web-management http interface fe-0/0/0.0 set system services
web-management https system-generated-certificate set system
services web-management https interface vlan.0 set system syslog
archive size 100k set system syslog archive files 3 set system
syslog user * any emergency set system syslog file messages any
critical set system syslog file messages authorization info set
system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5 set system
max-configuration-rollbacks 5 set system license autoupdate url
https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 description "Management Interface"
set interfaces fe-0/0/0 unit 0 family inet address 10.147.40.3/23
set interfaces fe-0/0/1 description "Private network"
set interfaces fe-0/0/1 vlan-tagging set interfaces fe-0/0/1 unit
929 vlan-id 929 set interfaces fe-0/0/1 unit 929 family inet
address 10.0.64.1/20 set interfaces fe-0/0/1 unit 1122 vlan-id
1122 set interfaces fe-0/0/1 unit 1122 family inet address
10.0.32.1/20 set interfaces fe-0/0/4 description "Public Network"
set interfaces fe-0/0/4 vlan-tagging set interfaces fe-0/0/4 unit
52 vlan-id 52 set interfaces fe-0/0/4 unit 52 family inet address
10.147.52.3/24 set interfaces fe-0/0/4 unit 52 family inet address
10.147.52.19/24 set interfaces vlan unit 52 family inet set
routing-options static route 10.147.40.0/23 next-hop 10.147.40.1
set routing-options static route 10.147.40.0/23 install set
routing-options static route 10.146.0.0/24 next-hop 10.147.40.1
set routing-options static route 10.146.0.0/24 install set
routing-options static route 10.147.52.0/24 next-hop 10.147.52.1
set routing-options static route 10.147.52.0/24 install set
routing-options static route 10.147.39.0/24 next-hop 10.147.40.1
set routing-options static route 10.147.29.0/24 next-hop
10.147.40.1 set routing-options static route 0.0.0.0/0 next-hop
10.147.52.1 set routing-options static route 0.0.0.0/0 install set
routing-options static route 10.147.28.6/32 next-hop 10.147.52.1
set routing-options static route 10.147.28.6/32 install set
routing-options static route 10.252.248.0/24 next-hop 10.147.52.1
set protocols stp set security nat source pool 10-147-52-113
address 10.147.52.113/32 set security nat source rule-set trust
from zone trust set security nat source rule-set trust to zone
untrust set security nat source rule-set trust rule
10-147-52-113-10-0-32-0-20 match source-address 10.0.32.0/20 set
security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20
then source-nat pool 10-147-52-113 set security nat proxy-arp
interface fe-0/0/4.52 address 10.147.52.116/32 set security nat
proxy-arp interface fe-0/0/4.52 address 10.147.52.113/32 set
security zones security-zone trust address-book address
10-0-78-206 10.0.78.206/32 set security zones security-zone trust
address-book address 10-0-33-27 10.0.33.27/32 set security zones
security-zone trust address-book address 10-0-35-239
10.0.35.239/32 set security zones security-zone trust
host-inbound-traffic system-services all set security zones
security-zone trust interfaces fe-0/0/1.929 set security zones
security-zone trust interfaces fe-0/0/1.1122 set security zones
security-zone untrust host-inbound-traffic system-services ssh set
security zones security-zone untrust host-inbound-traffic
system-services ping set security zones security-zone untrust
interfaces fe-0/0/4.52 set security zones security-zone MGMT
host-inbound-traffic system-services all set security zones
security-zone MGMT interfaces fe-0/0/0.0 set security policies
from-zone trust to-zone untrust policy trust-to-untrust match
source-address any set security policies from-zone trust to-zone
untrust policy trust-to-untrust match destination-address any set
security policies from-zone trust to-zone untrust policy
trust-to-untrust match application any set security policies
from-zone trust to-zone untrust policy trust-to-untrust then
permit set security policies from-zone trust to-zone trust policy
accept-all match source-address any set security policies
from-zone trust to-zone trust policy accept-all match
destination-address any set security policies from-zone trust
to-zone trust policy accept-all match application any set security
policies from-zone trust to-zone trust policy accept-all then
permit set security policies from-zone MGMT to-zone trust policy
MGMT-to-trust match source-address any set security policies
from-zone MGMT to-zone trust policy MGMT-to-trust match
destination-address any set security policies from-zone MGMT
to-zone trust policy MGMT-to-trust match application any set
security policies from-zone MGMT to-zone trust policy
MGMT-to-trust then permit set security policies from-zone MGMT
to-zone MGMT policy accept-mgmt match source-address any set
security policies from-zone MGMT to-zone MGMT policy accept-
mgmt
match destination-address any set security policies from-zone MGMT
to-zone MGMT policy accept-mgmt match application any set security
policies from-zone MGMT to-zone MGMT policy accept-mgmt then
permit set firewall filter untrust term 10-147-52-116 from
destination-address 10.147.52.116/32 set firewall filter untrust
term 10-147-52-116 then count 10-147-52-116 set firewall filter
untrust term 10-147-52-116 then accept set firewall filter untrust
term 10-147-52-113 from destination-address 10.147.52.113/32 set
firewall filter untrust term 10-147-52-113 then count
10-147-52-113 set firewall filter untrust term 10-147-52-113 then
accept set firewall filter trust term 10-147-52-113 from
source-address 10.0.32.0/20 set firewall filter trust term
10-147-52-113 then count 10-147-52-113 set firewall filter trust
term 10-147-52-113 then accept set applications application
tcp-22-22 protocol tcp set applications application tcp-22-22
destination-port 22 set vlans test vlan-id 52 set vlans test
l3-interface vlan.52
Thanks,
Jayapal
On 14-May-2013, at 7:36 PM, Francois Gaudreault
<fgaudrea...@cloudops.com> wrote:
Hi,
I saw in the wiki there is a page for SRX configuration to integrate
with CloudStack. However, the steps are not really clear, and the example
config link is kinda broken. Does someone have a copy of this example config
somewhere?
Thanks!
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
fgaudrea...@cloudops.com
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
fgaudrea...@cloudops.com
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
fgaudrea...@cloudops.com
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
--
Francois Gaudreault
Architecte de Solution Cloud | Cloud Solutions Architect
fgaudrea...@cloudops.com
514-629-6775
- - -
CloudOps
420 rue Guy
Montréal QC H3J 1S6
www.cloudops.com
@CloudOps_
