Please share your management server logs in pastebin.com Thanks, Jayapal On 23-May-2013, at 5:30 PM, Francois Gaudreault <fgaudrea...@cloudops.com> wrote:
> On 2013-05-23 12:50 AM, Jayapal Reddy Uradi wrote: >> Is your guest network created on the SRX ? > Yes. >> Is your network offering crated correctly with SRX firewall ? > Yes. >> While crating instance/guest network did you select the SRX firewall network >> offering ? > Yes. > > Thanks. >> >> Thanks, >> Jayapal >> >>> -----Original Message----- >>> From: Francois Gaudreault [mailto:fgaudrea...@cloudops.com] >>> Sent: Wednesday, 22 May 2013 8:17 PM >>> To: <users@cloudstack.apache.org> >>> Cc: Jayapal Reddy Uradi >>> Subject: Re: Juniper SRX Configuration >>> >>> >>> Hi, >>>> In network offering if you select ZONE wide source NAT then source rules >>> are not configured by cloudstack. Admin/User has to manually select source >>> NAT ip and configure the source NAT rules. >>> Ok, thanks for the precision. >>>> When you configure firewall rules, firewall filter rules on srx get >>>> configured. >>>> Please try configuring tcp/udp rules. For ICMP there is bug and the fix >>>> will >>> be committed soon. >>> I just tried, and it's not working. First, when I acquire another IP, the >>> new IP >>> is not even configured on the SRX. So even if I create firewall rules, >>> they are >>> not created/applied. Anyway, I tried using TCP. I looked in the logs, and >>> CloudStack won't even trigger the SRX code. >>> >>> Thanks! >>>> Thanks, >>>> Jayapal >>>> >>>> On 21-May-2013, at 11:48 PM, Francois Gaudreault >>> <fgaudrea...@cloudops.com> >>>> wrote: >>>> >>>>> Jayapal, >>>>> >>>>> I added the SRX now, I can get the basic stuff working (private interface >>> created), but it looks like the source nat rules are not being created. >>> Also, >>> when I create firewall rules, they are not being created on the SRX. >>> However, >>> I can get the destination nat (port-forwarding) working. Any ideas? >>>>> Thanks! >>>>> >>>>> On 2013-05-14 1:15 PM, Jayapal Reddy Uradi wrote: >>>>>> For private interface just enable the vlan tagging. when guest network is >>> created cloudstack will configure the interface with vlan and ip. >>>>>> Minimal config is. >>>>>> >>>>>> 1. set management interface with ip and use this ip for while add ing srx >>> into cloudstack. >>>>>> 2. enable vlan tagging on private interface 3. set the cloudstack >>>>>> public vlan to the srx public interface. >>>>>> 4. add rules to allow traffic from trust to untrust zone. >>>>>> 5. set appropriate routes for the trust and untrust subnets >>>>>> >>>>>> >>>>>> By default guest traffic trust (guest) to untrust (public) is blocked on >>> latest master. Add egress rules once the guest network is created. >>>>>> Let me know if see any issues. >>>>>> >>>>>> Thanks, >>>>>> Jayapal >>>>>> >>>>>> On 14-May-2013, at 10:33 PM, Francois Gaudreault >>> <fgaudrea...@cloudops.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Jayapal, >>>>>>>> To add SRX device into cloudstack, you need to preconfigure the >>>>>>>> srx. SRX needs 3 interfaces to add into cloudstack 1. management >>>>>>>> interface 2. private/guest network interface 3.public interace. >>>>>>> Ok. It confirms what I understood :) >>>>>>>> Please find the below config. It is bit old cloudstak config on SRX, >>>>>>>> but it >>> will give you idea. >>>>>>>> You need to update firewall filter trust/untrust. >>>>>>> Which parts actually need to be there for the per-previsioning? I guess >>> some part of that config example has been done by CloudStack... (ie. Do we >>> need to create guest vlan interfaces on the private interface right at the >>> beginning?) In other words, what's the minimal config needed before adding >>> the SRX to CS? >>>>>>> Thanks! >>>>>>>> set version 10.4R6.5 >>>>>>>> set system time-zone Asia/Calcutta set system root-authentication >>>>>>>> encrypted-password "$1$ucpHjRfH$dNkhOuzKXJxrpAtewvTu.1" >>>>>>>> set system name-server 208.67.222.222 set system name-server >>>>>>>> 208.67.220.220 set system name-server 10.147.28.6 set system >>>>>>>> name-server 4.2.2.2 set system services ssh set system services >>>>>>>> telnet set system services xnm-clear-text set system services >>>>>>>> web-management http interface vlan.0 set system services >>>>>>>> web-management http interface fe-0/0/0.0 set system services >>>>>>>> web-management https system-generated-certificate set system >>>>>>>> services web-management https interface vlan.0 set system syslog >>>>>>>> archive size 100k set system syslog archive files 3 set system >>>>>>>> syslog user * any emergency set system syslog file messages any >>>>>>>> critical set system syslog file messages authorization info set >>>>>>>> system syslog file interactive-commands interactive-commands error >>>>>>>> set system max-configurations-on-flash 5 set system >>>>>>>> max-configuration-rollbacks 5 set system license autoupdate url >>>>>>>> https://ae1.juniper.net/junos/key_retrieval >>>>>>>> set interfaces fe-0/0/0 description "Management Interface" >>>>>>>> set interfaces fe-0/0/0 unit 0 family inet address 10.147.40.3/23 >>>>>>>> set interfaces fe-0/0/1 description "Private network" >>>>>>>> set interfaces fe-0/0/1 vlan-tagging set interfaces fe-0/0/1 unit >>>>>>>> 929 vlan-id 929 set interfaces fe-0/0/1 unit 929 family inet >>>>>>>> address 10.0.64.1/20 set interfaces fe-0/0/1 unit 1122 vlan-id >>>>>>>> 1122 set interfaces fe-0/0/1 unit 1122 family inet address >>>>>>>> 10.0.32.1/20 set interfaces fe-0/0/4 description "Public Network" >>>>>>>> set interfaces fe-0/0/4 vlan-tagging set interfaces fe-0/0/4 unit >>>>>>>> 52 vlan-id 52 set interfaces fe-0/0/4 unit 52 family inet address >>>>>>>> 10.147.52.3/24 set interfaces fe-0/0/4 unit 52 family inet address >>>>>>>> 10.147.52.19/24 set interfaces vlan unit 52 family inet set >>>>>>>> routing-options static route 10.147.40.0/23 next-hop 10.147.40.1 >>>>>>>> set routing-options static route 10.147.40.0/23 install set >>>>>>>> routing-options static route 10.146.0.0/24 next-hop 10.147.40.1 >>>>>>>> set routing-options static route 10.146.0.0/24 install set >>>>>>>> routing-options static route 10.147.52.0/24 next-hop 10.147.52.1 >>>>>>>> set routing-options static route 10.147.52.0/24 install set >>>>>>>> routing-options static route 10.147.39.0/24 next-hop 10.147.40.1 >>>>>>>> set routing-options static route 10.147.29.0/24 next-hop >>>>>>>> 10.147.40.1 set routing-options static route 0.0.0.0/0 next-hop >>>>>>>> 10.147.52.1 set routing-options static route 0.0.0.0/0 install set >>>>>>>> routing-options static route 10.147.28.6/32 next-hop 10.147.52.1 >>>>>>>> set routing-options static route 10.147.28.6/32 install set >>>>>>>> routing-options static route 10.252.248.0/24 next-hop 10.147.52.1 >>>>>>>> set protocols stp set security nat source pool 10-147-52-113 >>>>>>>> address 10.147.52.113/32 set security nat source rule-set trust >>>>>>>> from zone trust set security nat source rule-set trust to zone >>>>>>>> untrust set security nat source rule-set trust rule >>>>>>>> 10-147-52-113-10-0-32-0-20 match source-address 10.0.32.0/20 set >>>>>>>> security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20 >>>>>>>> then source-nat pool 10-147-52-113 set security nat proxy-arp >>>>>>>> interface fe-0/0/4.52 address 10.147.52.116/32 set security nat >>>>>>>> proxy-arp interface fe-0/0/4.52 address 10.147.52.113/32 set >>>>>>>> security zones security-zone trust address-book address >>>>>>>> 10-0-78-206 10.0.78.206/32 set security zones security-zone trust >>>>>>>> address-book address 10-0-33-27 10.0.33.27/32 set security zones >>>>>>>> security-zone trust address-book address 10-0-35-239 >>>>>>>> 10.0.35.239/32 set security zones security-zone trust >>>>>>>> host-inbound-traffic system-services all set security zones >>>>>>>> security-zone trust interfaces fe-0/0/1.929 set security zones >>>>>>>> security-zone trust interfaces fe-0/0/1.1122 set security zones >>>>>>>> security-zone untrust host-inbound-traffic system-services ssh set >>>>>>>> security zones security-zone untrust host-inbound-traffic >>>>>>>> system-services ping set security zones security-zone untrust >>>>>>>> interfaces fe-0/0/4.52 set security zones security-zone MGMT >>>>>>>> host-inbound-traffic system-services all set security zones >>>>>>>> security-zone MGMT interfaces fe-0/0/0.0 set security policies >>>>>>>> from-zone trust to-zone untrust policy trust-to-untrust match >>>>>>>> source-address any set security policies from-zone trust to-zone >>>>>>>> untrust policy trust-to-untrust match destination-address any set >>>>>>>> security policies from-zone trust to-zone untrust policy >>>>>>>> trust-to-untrust match application any set security policies >>>>>>>> from-zone trust to-zone untrust policy trust-to-untrust then >>>>>>>> permit set security policies from-zone trust to-zone trust policy >>>>>>>> accept-all match source-address any set security policies >>>>>>>> from-zone trust to-zone trust policy accept-all match >>>>>>>> destination-address any set security policies from-zone trust >>>>>>>> to-zone trust policy accept-all match application any set security >>>>>>>> policies from-zone trust to-zone trust policy accept-all then >>>>>>>> permit set security policies from-zone MGMT to-zone trust policy >>>>>>>> MGMT-to-trust match source-address any set security policies >>>>>>>> from-zone MGMT to-zone trust policy MGMT-to-trust match >>>>>>>> destination-address any set security policies from-zone MGMT >>>>>>>> to-zone trust policy MGMT-to-trust match application any set >>>>>>>> security policies from-zone MGMT to-zone trust policy >>>>>>>> MGMT-to-trust then permit set security policies from-zone MGMT >>>>>>>> to-zone MGMT policy accept-mgmt match source-address any set >>>>>>>> security policies from-zone MGMT to-zone MGMT policy accept- >>> mgmt >>>>>>>> match destination-address any set security policies from-zone MGMT >>>>>>>> to-zone MGMT policy accept-mgmt match application any set security >>>>>>>> policies from-zone MGMT to-zone MGMT policy accept-mgmt then >>>>>>>> permit set firewall filter untrust term 10-147-52-116 from >>>>>>>> destination-address 10.147.52.116/32 set firewall filter untrust >>>>>>>> term 10-147-52-116 then count 10-147-52-116 set firewall filter >>>>>>>> untrust term 10-147-52-116 then accept set firewall filter untrust >>>>>>>> term 10-147-52-113 from destination-address 10.147.52.113/32 set >>>>>>>> firewall filter untrust term 10-147-52-113 then count >>>>>>>> 10-147-52-113 set firewall filter untrust term 10-147-52-113 then >>>>>>>> accept set firewall filter trust term 10-147-52-113 from >>>>>>>> source-address 10.0.32.0/20 set firewall filter trust term >>>>>>>> 10-147-52-113 then count 10-147-52-113 set firewall filter trust >>>>>>>> term 10-147-52-113 then accept set applications application >>>>>>>> tcp-22-22 protocol tcp set applications application tcp-22-22 >>>>>>>> destination-port 22 set vlans test vlan-id 52 set vlans test >>>>>>>> l3-interface vlan.52 >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Jayapal >>>>>>>> >>>>>>>> On 14-May-2013, at 7:36 PM, Francois Gaudreault >>> <fgaudrea...@cloudops.com> wrote: >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>> I saw in the wiki there is a page for SRX configuration to integrate >>> with CloudStack. However, the steps are not really clear, and the example >>> config link is kinda broken. Does someone have a copy of this example >>> config >>> somewhere? >>>>>>>>> Thanks! >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Francois Gaudreault >>>>>>>>> Architecte de Solution Cloud | Cloud Solutions Architect >>>>>>>>> fgaudrea...@cloudops.com >>>>>>>>> 514-629-6775 >>>>>>>>> - - - >>>>>>>>> CloudOps >>>>>>>>> 420 rue Guy >>>>>>>>> Montréal QC H3J 1S6 >>>>>>>>> www.cloudops.com >>>>>>>>> @CloudOps_ >>>>>>>>> >>>>>>> -- >>>>>>> Francois Gaudreault >>>>>>> Architecte de Solution Cloud | Cloud Solutions Architect >>>>>>> fgaudrea...@cloudops.com >>>>>>> 514-629-6775 >>>>>>> - - - >>>>>>> CloudOps >>>>>>> 420 rue Guy >>>>>>> Montréal QC H3J 1S6 >>>>>>> www.cloudops.com >>>>>>> @CloudOps_ >>>>>>> >>>>> -- >>>>> Francois Gaudreault >>>>> Architecte de Solution Cloud | Cloud Solutions Architect >>>>> fgaudrea...@cloudops.com >>>>> 514-629-6775 >>>>> - - - >>>>> CloudOps >>>>> 420 rue Guy >>>>> Montréal QC H3J 1S6 >>>>> www.cloudops.com >>>>> @CloudOps_ >>>>> >>>> >>> >>> -- >>> Francois Gaudreault >>> Architecte de Solution Cloud | Cloud Solutions Architect >>> fgaudrea...@cloudops.com >>> 514-629-6775 >>> - - - >>> CloudOps >>> 420 rue Guy >>> Montréal QC H3J 1S6 >>> www.cloudops.com >>> @CloudOps_ >> >> > > > -- > Francois Gaudreault > Architecte de Solution Cloud | Cloud Solutions Architect > fgaudrea...@cloudops.com > 514-629-6775 > - - - > CloudOps > 420 rue Guy > Montréal QC H3J 1S6 > www.cloudops.com > @CloudOps_ >