Is your guest network created on the SRX ? Is your network offering crated correctly with SRX firewall ? While crating instance/guest network did you select the SRX firewall network offering ?
Thanks, Jayapal > -----Original Message----- > From: Francois Gaudreault [mailto:fgaudrea...@cloudops.com] > Sent: Wednesday, 22 May 2013 8:17 PM > To: <users@cloudstack.apache.org> > Cc: Jayapal Reddy Uradi > Subject: Re: Juniper SRX Configuration > > > Hi, > > In network offering if you select ZONE wide source NAT then source rules > are not configured by cloudstack. Admin/User has to manually select source > NAT ip and configure the source NAT rules. > Ok, thanks for the precision. > > > > When you configure firewall rules, firewall filter rules on srx get > > configured. > > Please try configuring tcp/udp rules. For ICMP there is bug and the fix will > be committed soon. > I just tried, and it's not working. First, when I acquire another IP, the > new IP > is not even configured on the SRX. So even if I create firewall rules, they > are > not created/applied. Anyway, I tried using TCP. I looked in the logs, and > CloudStack won't even trigger the SRX code. > > Thanks! > > > > Thanks, > > Jayapal > > > > On 21-May-2013, at 11:48 PM, Francois Gaudreault > <fgaudrea...@cloudops.com> > > wrote: > > > >> Jayapal, > >> > >> I added the SRX now, I can get the basic stuff working (private interface > created), but it looks like the source nat rules are not being created. Also, > when I create firewall rules, they are not being created on the SRX. However, > I can get the destination nat (port-forwarding) working. Any ideas? > >> > >> Thanks! > >> > >> On 2013-05-14 1:15 PM, Jayapal Reddy Uradi wrote: > >>> For private interface just enable the vlan tagging. when guest network is > created cloudstack will configure the interface with vlan and ip. > >>> > >>> Minimal config is. > >>> > >>> 1. set management interface with ip and use this ip for while add ing srx > into cloudstack. > >>> 2. enable vlan tagging on private interface 3. set the cloudstack > >>> public vlan to the srx public interface. > >>> 4. add rules to allow traffic from trust to untrust zone. > >>> 5. set appropriate routes for the trust and untrust subnets > >>> > >>> > >>> By default guest traffic trust (guest) to untrust (public) is blocked on > latest master. Add egress rules once the guest network is created. > >>> > >>> Let me know if see any issues. > >>> > >>> Thanks, > >>> Jayapal > >>> > >>> On 14-May-2013, at 10:33 PM, Francois Gaudreault > <fgaudrea...@cloudops.com> > >>> wrote: > >>> > >>>> Hi Jayapal, > >>>>> To add SRX device into cloudstack, you need to preconfigure the > >>>>> srx. SRX needs 3 interfaces to add into cloudstack 1. management > >>>>> interface 2. private/guest network interface 3.public interace. > >>>> Ok. It confirms what I understood :) > >>>>> Please find the below config. It is bit old cloudstak config on SRX, > >>>>> but it > will give you idea. > >>>>> You need to update firewall filter trust/untrust. > >>>> Which parts actually need to be there for the per-previsioning? I guess > some part of that config example has been done by CloudStack... (ie. Do we > need to create guest vlan interfaces on the private interface right at the > beginning?) In other words, what's the minimal config needed before adding > the SRX to CS? > >>>> > >>>> Thanks! > >>>>> set version 10.4R6.5 > >>>>> set system time-zone Asia/Calcutta set system root-authentication > >>>>> encrypted-password "$1$ucpHjRfH$dNkhOuzKXJxrpAtewvTu.1" > >>>>> set system name-server 208.67.222.222 set system name-server > >>>>> 208.67.220.220 set system name-server 10.147.28.6 set system > >>>>> name-server 4.2.2.2 set system services ssh set system services > >>>>> telnet set system services xnm-clear-text set system services > >>>>> web-management http interface vlan.0 set system services > >>>>> web-management http interface fe-0/0/0.0 set system services > >>>>> web-management https system-generated-certificate set system > >>>>> services web-management https interface vlan.0 set system syslog > >>>>> archive size 100k set system syslog archive files 3 set system > >>>>> syslog user * any emergency set system syslog file messages any > >>>>> critical set system syslog file messages authorization info set > >>>>> system syslog file interactive-commands interactive-commands error > >>>>> set system max-configurations-on-flash 5 set system > >>>>> max-configuration-rollbacks 5 set system license autoupdate url > >>>>> https://ae1.juniper.net/junos/key_retrieval > >>>>> set interfaces fe-0/0/0 description "Management Interface" > >>>>> set interfaces fe-0/0/0 unit 0 family inet address 10.147.40.3/23 > >>>>> set interfaces fe-0/0/1 description "Private network" > >>>>> set interfaces fe-0/0/1 vlan-tagging set interfaces fe-0/0/1 unit > >>>>> 929 vlan-id 929 set interfaces fe-0/0/1 unit 929 family inet > >>>>> address 10.0.64.1/20 set interfaces fe-0/0/1 unit 1122 vlan-id > >>>>> 1122 set interfaces fe-0/0/1 unit 1122 family inet address > >>>>> 10.0.32.1/20 set interfaces fe-0/0/4 description "Public Network" > >>>>> set interfaces fe-0/0/4 vlan-tagging set interfaces fe-0/0/4 unit > >>>>> 52 vlan-id 52 set interfaces fe-0/0/4 unit 52 family inet address > >>>>> 10.147.52.3/24 set interfaces fe-0/0/4 unit 52 family inet address > >>>>> 10.147.52.19/24 set interfaces vlan unit 52 family inet set > >>>>> routing-options static route 10.147.40.0/23 next-hop 10.147.40.1 > >>>>> set routing-options static route 10.147.40.0/23 install set > >>>>> routing-options static route 10.146.0.0/24 next-hop 10.147.40.1 > >>>>> set routing-options static route 10.146.0.0/24 install set > >>>>> routing-options static route 10.147.52.0/24 next-hop 10.147.52.1 > >>>>> set routing-options static route 10.147.52.0/24 install set > >>>>> routing-options static route 10.147.39.0/24 next-hop 10.147.40.1 > >>>>> set routing-options static route 10.147.29.0/24 next-hop > >>>>> 10.147.40.1 set routing-options static route 0.0.0.0/0 next-hop > >>>>> 10.147.52.1 set routing-options static route 0.0.0.0/0 install set > >>>>> routing-options static route 10.147.28.6/32 next-hop 10.147.52.1 > >>>>> set routing-options static route 10.147.28.6/32 install set > >>>>> routing-options static route 10.252.248.0/24 next-hop 10.147.52.1 > >>>>> set protocols stp set security nat source pool 10-147-52-113 > >>>>> address 10.147.52.113/32 set security nat source rule-set trust > >>>>> from zone trust set security nat source rule-set trust to zone > >>>>> untrust set security nat source rule-set trust rule > >>>>> 10-147-52-113-10-0-32-0-20 match source-address 10.0.32.0/20 set > >>>>> security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20 > >>>>> then source-nat pool 10-147-52-113 set security nat proxy-arp > >>>>> interface fe-0/0/4.52 address 10.147.52.116/32 set security nat > >>>>> proxy-arp interface fe-0/0/4.52 address 10.147.52.113/32 set > >>>>> security zones security-zone trust address-book address > >>>>> 10-0-78-206 10.0.78.206/32 set security zones security-zone trust > >>>>> address-book address 10-0-33-27 10.0.33.27/32 set security zones > >>>>> security-zone trust address-book address 10-0-35-239 > >>>>> 10.0.35.239/32 set security zones security-zone trust > >>>>> host-inbound-traffic system-services all set security zones > >>>>> security-zone trust interfaces fe-0/0/1.929 set security zones > >>>>> security-zone trust interfaces fe-0/0/1.1122 set security zones > >>>>> security-zone untrust host-inbound-traffic system-services ssh set > >>>>> security zones security-zone untrust host-inbound-traffic > >>>>> system-services ping set security zones security-zone untrust > >>>>> interfaces fe-0/0/4.52 set security zones security-zone MGMT > >>>>> host-inbound-traffic system-services all set security zones > >>>>> security-zone MGMT interfaces fe-0/0/0.0 set security policies > >>>>> from-zone trust to-zone untrust policy trust-to-untrust match > >>>>> source-address any set security policies from-zone trust to-zone > >>>>> untrust policy trust-to-untrust match destination-address any set > >>>>> security policies from-zone trust to-zone untrust policy > >>>>> trust-to-untrust match application any set security policies > >>>>> from-zone trust to-zone untrust policy trust-to-untrust then > >>>>> permit set security policies from-zone trust to-zone trust policy > >>>>> accept-all match source-address any set security policies > >>>>> from-zone trust to-zone trust policy accept-all match > >>>>> destination-address any set security policies from-zone trust > >>>>> to-zone trust policy accept-all match application any set security > >>>>> policies from-zone trust to-zone trust policy accept-all then > >>>>> permit set security policies from-zone MGMT to-zone trust policy > >>>>> MGMT-to-trust match source-address any set security policies > >>>>> from-zone MGMT to-zone trust policy MGMT-to-trust match > >>>>> destination-address any set security policies from-zone MGMT > >>>>> to-zone trust policy MGMT-to-trust match application any set > >>>>> security policies from-zone MGMT to-zone trust policy > >>>>> MGMT-to-trust then permit set security policies from-zone MGMT > >>>>> to-zone MGMT policy accept-mgmt match source-address any set > >>>>> security policies from-zone MGMT to-zone MGMT policy accept- > mgmt > >>>>> match destination-address any set security policies from-zone MGMT > >>>>> to-zone MGMT policy accept-mgmt match application any set security > >>>>> policies from-zone MGMT to-zone MGMT policy accept-mgmt then > >>>>> permit set firewall filter untrust term 10-147-52-116 from > >>>>> destination-address 10.147.52.116/32 set firewall filter untrust > >>>>> term 10-147-52-116 then count 10-147-52-116 set firewall filter > >>>>> untrust term 10-147-52-116 then accept set firewall filter untrust > >>>>> term 10-147-52-113 from destination-address 10.147.52.113/32 set > >>>>> firewall filter untrust term 10-147-52-113 then count > >>>>> 10-147-52-113 set firewall filter untrust term 10-147-52-113 then > >>>>> accept set firewall filter trust term 10-147-52-113 from > >>>>> source-address 10.0.32.0/20 set firewall filter trust term > >>>>> 10-147-52-113 then count 10-147-52-113 set firewall filter trust > >>>>> term 10-147-52-113 then accept set applications application > >>>>> tcp-22-22 protocol tcp set applications application tcp-22-22 > >>>>> destination-port 22 set vlans test vlan-id 52 set vlans test > >>>>> l3-interface vlan.52 > >>>>> > >>>>> Thanks, > >>>>> Jayapal > >>>>> > >>>>> On 14-May-2013, at 7:36 PM, Francois Gaudreault > <fgaudrea...@cloudops.com> wrote: > >>>>> > >>>>>> Hi, > >>>>>> > >>>>>> I saw in the wiki there is a page for SRX configuration to integrate > with CloudStack. However, the steps are not really clear, and the example > config link is kinda broken. Does someone have a copy of this example config > somewhere? > >>>>>> > >>>>>> Thanks! > >>>>>> > >>>>>> -- > >>>>>> Francois Gaudreault > >>>>>> Architecte de Solution Cloud | Cloud Solutions Architect > >>>>>> fgaudrea...@cloudops.com > >>>>>> 514-629-6775 > >>>>>> - - - > >>>>>> CloudOps > >>>>>> 420 rue Guy > >>>>>> Montréal QC H3J 1S6 > >>>>>> www.cloudops.com > >>>>>> @CloudOps_ > >>>>>> > >>>> -- > >>>> Francois Gaudreault > >>>> Architecte de Solution Cloud | Cloud Solutions Architect > >>>> fgaudrea...@cloudops.com > >>>> 514-629-6775 > >>>> - - - > >>>> CloudOps > >>>> 420 rue Guy > >>>> Montréal QC H3J 1S6 > >>>> www.cloudops.com > >>>> @CloudOps_ > >>>> > >>> > >> > >> -- > >> Francois Gaudreault > >> Architecte de Solution Cloud | Cloud Solutions Architect > >> fgaudrea...@cloudops.com > >> 514-629-6775 > >> - - - > >> CloudOps > >> 420 rue Guy > >> Montréal QC H3J 1S6 > >> www.cloudops.com > >> @CloudOps_ > >> > > > > > > > -- > Francois Gaudreault > Architecte de Solution Cloud | Cloud Solutions Architect > fgaudrea...@cloudops.com > 514-629-6775 > - - - > CloudOps > 420 rue Guy > Montréal QC H3J 1S6 > www.cloudops.com > @CloudOps_
