Ok, so if I understand what you are saying you should NAT the ports you are using on the management server. As for those two public ranges (216Š/27 & 29) you will need to configure those two networks on separate VLANs (on WAN Switch) and configure them in the zone setup. Your physical ³Public² interfaces will need to be plugged into the WAN switch.
On 4/3/14, 4:41 PM, "Fred Newtz" <fbne...@gmail.com> wrote: >I really do not want to put the firewall in front of anything. I just >want >to have my management server protected by the firewall (only allow >incoming >traffic from specific static IPs to the management server). Otherwise I >want Cloudstack to handle all of the networking. > >My ISP has provided a cross connect with a /30 for me. 65.1.1.2 is the IP >I have assigned to my external firewall and 65.1.1.1 is the Gateway IP I >have configured for that specific external interface. > >He is advertising 216.1.1.1/27 and 217.1.1.1/29 for me through that >gateway/cross connect. Do I just need to configure static routes on the >Firewall to allow this traffic to pass through directly to Cloudstack? > >All of the network diagrams that I see for the advanced networking >configuration have a firewall between the internal switches and the >internet. > >So something I am missing is needing to be configured to allow the IPs >through the firewall. I have a firewall and two layer 3 switches. Do I >need to configure one of the layer 3 switches in front of the firewall and >pass the management network through the firewall, configure the public IP >ranges on the layer 3 switch and pass that directly to Cloudstack on a >separate network interface? > > >Thanks, > >Fred > > >On Thu, Apr 3, 2014 at 4:09 PM, Xerex Bueno ><xbu...@lpsintegration.com>wrote: > >> So you will not be able to NAT the public IPs to the vRouter. If you do >> NAT them it will become a mess for management, not to mention you reduce >> the effectiveness of Cloudstack as a cloud management tool. You need to >> expose that block to your WAN switch of which the public interface will >> need to connect to. If you really wanted to put a firewall in front you >> would need to place it in transparent mode which would allow you to >>create >> policies to control traffic. >> >> On 4/3/14, 1:59 PM, "Fred Newtz" <fbne...@gmail.com> wrote: >> >> >Public IP addresses confuse me the most in a Cloudstack install. I >>have a >> >Firewall that is hosting all of my public IP addresses now. The >> >management >> >server is supposed to sit behind a NAT device to protect it from >>attack. >> >How am I supposed to assign public IP addresses to virtual machines >> >(virtual routers) inside of the NAT device? I have not seen any clear >> >documentation on how this is supposed to be configured to make >>everything >> >work correctly. Where do I assign my IP addresses and how do I get >>them >> >through the firewall correctly? >> > >> >I just purchased a Juniper SRX100 device (will be a small deployment). >> >Will installing this help manage the Public IP situation easier (and >>even >> >automatic)? If anyone has any suggestions on what I should search for >>to >> >solve this issue that would be great. Explaining would be even better. >> > >> >Thanks, >> > >> >Fred >> >> >> ________________________________ >> >> This document is PROPRIETARY and CONFIDENTIAL and may not be duplicated, >> redistributed, or displayed to any other party without the expressed >> written permission of LPS Integration, Inc. If you are not the intended >> recipient and have received this email in error, please destroy the >>email >> and contact the LPS Integration Security Officer at 866-577-2902 >>(Phone), >> 615-349-9009 (Fax) or 230 Great Circle Rd. Suite 218 Nashville, TN 37228 >> (US Mail) >> >> > > >-- > >Zobotek, LLC >7941 Katy Freeway #256 >Houston, TX 77024 > >281-216-0488 - Main Number > >http://www.zobotek.com >http://www.stonemountainhosting.com ________________________________ This document is PROPRIETARY and CONFIDENTIAL and may not be duplicated, redistributed, or displayed to any other party without the expressed written permission of LPS Integration, Inc. If you are not the intended recipient and have received this email in error, please destroy the email and contact the LPS Integration Security Officer at 866-577-2902 (Phone), 615-349-9009 (Fax) or 230 Great Circle Rd. Suite 218 Nashville, TN 37228 (US Mail)
