In network offering if you select ZONE wide source NAT then source rules are not configured by cloudstack. Admin/User has to manually select source NAT ip and configure the source NAT rules.
When you configure firewall rules, firewall filter rules on srx get configured. Please try configuring tcp/udp rules. For ICMP there is bug and the fix will be committed soon. Thanks, Jayapal On 21-May-2013, at 11:48 PM, Francois Gaudreault <fgaudrea...@cloudops.com> wrote: > Jayapal, > > I added the SRX now, I can get the basic stuff working (private interface > created), but it looks like the source nat rules are not being created. > Also, when I create firewall rules, they are not being created on the SRX. > However, I can get the destination nat (port-forwarding) working. Any ideas? > > Thanks! > > On 2013-05-14 1:15 PM, Jayapal Reddy Uradi wrote: >> For private interface just enable the vlan tagging. when guest network is >> created cloudstack will configure the interface with vlan and ip. >> >> Minimal config is. >> >> 1. set management interface with ip and use this ip for while add ing srx >> into cloudstack. >> 2. enable vlan tagging on private interface >> 3. set the cloudstack public vlan to the srx public interface. >> 4. add rules to allow traffic from trust to untrust zone. >> 5. set appropriate routes for the trust and untrust subnets >> >> >> By default guest traffic trust (guest) to untrust (public) is blocked on >> latest master. Add egress rules once the guest network is created. >> >> Let me know if see any issues. >> >> Thanks, >> Jayapal >> >> On 14-May-2013, at 10:33 PM, Francois Gaudreault <fgaudrea...@cloudops.com> >> wrote: >> >>> Hi Jayapal, >>>> To add SRX device into cloudstack, you need to preconfigure the srx. SRX >>>> needs 3 interfaces to add into cloudstack >>>> 1. management interface >>>> 2. private/guest network interface >>>> 3.public interace. >>> Ok. It confirms what I understood :) >>>> Please find the below config. It is bit old cloudstak config on SRX, but >>>> it will give you idea. >>>> You need to update firewall filter trust/untrust. >>> Which parts actually need to be there for the per-previsioning? I guess >>> some part of that config example has been done by CloudStack... (ie. Do we >>> need to create guest vlan interfaces on the private interface right at the >>> beginning?) In other words, what's the minimal config needed before adding >>> the SRX to CS? >>> >>> Thanks! >>>> set version 10.4R6.5 >>>> set system time-zone Asia/Calcutta >>>> set system root-authentication encrypted-password >>>> "$1$ucpHjRfH$dNkhOuzKXJxrpAtewvTu.1" >>>> set system name-server 208.67.222.222 >>>> set system name-server 208.67.220.220 >>>> set system name-server 10.147.28.6 >>>> set system name-server 4.2.2.2 >>>> set system services ssh >>>> set system services telnet >>>> set system services xnm-clear-text >>>> set system services web-management http interface vlan.0 >>>> set system services web-management http interface fe-0/0/0.0 >>>> set system services web-management https system-generated-certificate >>>> set system services web-management https interface vlan.0 >>>> set system syslog archive size 100k >>>> set system syslog archive files 3 >>>> set system syslog user * any emergency >>>> set system syslog file messages any critical >>>> set system syslog file messages authorization info >>>> set system syslog file interactive-commands interactive-commands error >>>> set system max-configurations-on-flash 5 >>>> set system max-configuration-rollbacks 5 >>>> set system license autoupdate url >>>> https://ae1.juniper.net/junos/key_retrieval >>>> set interfaces fe-0/0/0 description "Management Interface" >>>> set interfaces fe-0/0/0 unit 0 family inet address 10.147.40.3/23 >>>> set interfaces fe-0/0/1 description "Private network" >>>> set interfaces fe-0/0/1 vlan-tagging >>>> set interfaces fe-0/0/1 unit 929 vlan-id 929 >>>> set interfaces fe-0/0/1 unit 929 family inet address 10.0.64.1/20 >>>> set interfaces fe-0/0/1 unit 1122 vlan-id 1122 >>>> set interfaces fe-0/0/1 unit 1122 family inet address 10.0.32.1/20 >>>> set interfaces fe-0/0/4 description "Public Network" >>>> set interfaces fe-0/0/4 vlan-tagging >>>> set interfaces fe-0/0/4 unit 52 vlan-id 52 >>>> set interfaces fe-0/0/4 unit 52 family inet address 10.147.52.3/24 >>>> set interfaces fe-0/0/4 unit 52 family inet address 10.147.52.19/24 >>>> set interfaces vlan unit 52 family inet >>>> set routing-options static route 10.147.40.0/23 next-hop 10.147.40.1 >>>> set routing-options static route 10.147.40.0/23 install >>>> set routing-options static route 10.146.0.0/24 next-hop 10.147.40.1 >>>> set routing-options static route 10.146.0.0/24 install >>>> set routing-options static route 10.147.52.0/24 next-hop 10.147.52.1 >>>> set routing-options static route 10.147.52.0/24 install >>>> set routing-options static route 10.147.39.0/24 next-hop 10.147.40.1 >>>> set routing-options static route 10.147.29.0/24 next-hop 10.147.40.1 >>>> set routing-options static route 0.0.0.0/0 next-hop 10.147.52.1 >>>> set routing-options static route 0.0.0.0/0 install >>>> set routing-options static route 10.147.28.6/32 next-hop 10.147.52.1 >>>> set routing-options static route 10.147.28.6/32 install >>>> set routing-options static route 10.252.248.0/24 next-hop 10.147.52.1 >>>> set protocols stp >>>> set security nat source pool 10-147-52-113 address 10.147.52.113/32 >>>> set security nat source rule-set trust from zone trust >>>> set security nat source rule-set trust to zone untrust >>>> set security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20 >>>> match source-address 10.0.32.0/20 >>>> set security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20 >>>> then source-nat pool 10-147-52-113 >>>> set security nat proxy-arp interface fe-0/0/4.52 address 10.147.52.116/32 >>>> set security nat proxy-arp interface fe-0/0/4.52 address 10.147.52.113/32 >>>> set security zones security-zone trust address-book address 10-0-78-206 >>>> 10.0.78.206/32 >>>> set security zones security-zone trust address-book address 10-0-33-27 >>>> 10.0.33.27/32 >>>> set security zones security-zone trust address-book address 10-0-35-239 >>>> 10.0.35.239/32 >>>> set security zones security-zone trust host-inbound-traffic >>>> system-services all >>>> set security zones security-zone trust interfaces fe-0/0/1.929 >>>> set security zones security-zone trust interfaces fe-0/0/1.1122 >>>> set security zones security-zone untrust host-inbound-traffic >>>> system-services ssh >>>> set security zones security-zone untrust host-inbound-traffic >>>> system-services ping >>>> set security zones security-zone untrust interfaces fe-0/0/4.52 >>>> set security zones security-zone MGMT host-inbound-traffic system-services >>>> all >>>> set security zones security-zone MGMT interfaces fe-0/0/0.0 >>>> set security policies from-zone trust to-zone untrust policy >>>> trust-to-untrust match source-address any >>>> set security policies from-zone trust to-zone untrust policy >>>> trust-to-untrust match destination-address any >>>> set security policies from-zone trust to-zone untrust policy >>>> trust-to-untrust match application any >>>> set security policies from-zone trust to-zone untrust policy >>>> trust-to-untrust then permit >>>> set security policies from-zone trust to-zone trust policy accept-all >>>> match source-address any >>>> set security policies from-zone trust to-zone trust policy accept-all >>>> match destination-address any >>>> set security policies from-zone trust to-zone trust policy accept-all >>>> match application any >>>> set security policies from-zone trust to-zone trust policy accept-all then >>>> permit >>>> set security policies from-zone MGMT to-zone trust policy MGMT-to-trust >>>> match source-address any >>>> set security policies from-zone MGMT to-zone trust policy MGMT-to-trust >>>> match destination-address any >>>> set security policies from-zone MGMT to-zone trust policy MGMT-to-trust >>>> match application any >>>> set security policies from-zone MGMT to-zone trust policy MGMT-to-trust >>>> then permit >>>> set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match >>>> source-address any >>>> set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match >>>> destination-address any >>>> set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match >>>> application any >>>> set security policies from-zone MGMT to-zone MGMT policy accept-mgmt then >>>> permit >>>> set firewall filter untrust term 10-147-52-116 from destination-address >>>> 10.147.52.116/32 >>>> set firewall filter untrust term 10-147-52-116 then count 10-147-52-116 >>>> set firewall filter untrust term 10-147-52-116 then accept >>>> set firewall filter untrust term 10-147-52-113 from destination-address >>>> 10.147.52.113/32 >>>> set firewall filter untrust term 10-147-52-113 then count 10-147-52-113 >>>> set firewall filter untrust term 10-147-52-113 then accept >>>> set firewall filter trust term 10-147-52-113 from source-address >>>> 10.0.32.0/20 >>>> set firewall filter trust term 10-147-52-113 then count 10-147-52-113 >>>> set firewall filter trust term 10-147-52-113 then accept >>>> set applications application tcp-22-22 protocol tcp >>>> set applications application tcp-22-22 destination-port 22 >>>> set vlans test vlan-id 52 >>>> set vlans test l3-interface vlan.52 >>>> >>>> Thanks, >>>> Jayapal >>>> >>>> On 14-May-2013, at 7:36 PM, Francois Gaudreault <fgaudrea...@cloudops.com> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I saw in the wiki there is a page for SRX configuration to integrate with >>>>> CloudStack. However, the steps are not really clear, and the example >>>>> config link is kinda broken. Does someone have a copy of this example >>>>> config somewhere? >>>>> >>>>> Thanks! >>>>> >>>>> -- >>>>> Francois Gaudreault >>>>> Architecte de Solution Cloud | Cloud Solutions Architect >>>>> fgaudrea...@cloudops.com >>>>> 514-629-6775 >>>>> - - - >>>>> CloudOps >>>>> 420 rue Guy >>>>> Montréal QC H3J 1S6 >>>>> www.cloudops.com >>>>> @CloudOps_ >>>>> >>>> >>> >>> -- >>> Francois Gaudreault >>> Architecte de Solution Cloud | Cloud Solutions Architect >>> fgaudrea...@cloudops.com >>> 514-629-6775 >>> - - - >>> CloudOps >>> 420 rue Guy >>> Montréal QC H3J 1S6 >>> www.cloudops.com >>> @CloudOps_ >>> >> >> > > > -- > Francois Gaudreault > Architecte de Solution Cloud | Cloud Solutions Architect > fgaudrea...@cloudops.com > 514-629-6775 > - - - > CloudOps > 420 rue Guy > Montréal QC H3J 1S6 > www.cloudops.com > @CloudOps_ >
