In this video, you will learn how to run a Virtual Router & Firewall inside VMware ESX with Vyatta.
In this video, you will learn how to run a Virtual Router & Firewall inside VMware ESX with Vyatta.
David Davis (CCIE #9369, vExpert, VCP, CISSP, MCSE) has been in the IT industry for 15+ years. He has authored over 300 articles, 6 video training courses, and co-authored one book. Learn about David's certifications, video courses, and where you can find his content on our About Us page.
{ 1 comment… read it below or add one }
Hello Mr.David,
Firstly, let me thank you for your great work that you have done. secondly, I have a question about a vFirewall desiging along with VMware Network Topology as well as across VLANs.
I have an ISA Firewall 2004 that configured with 2 pNICs, external & internal.
External: 192.168.1.50/24
DG: 192.168.1.1
DNS:N/A
Internal: 128.104.30.12/16
DG: N/A
DNS: 128.104.30.40
Clients configured with 128.104.30.12 Gateway to access the internet.
Also, I have VMware ESX Cluster consists of 4 hosts. Each host with 6 pNICs 2. I have a Routing Switch that configured with 4 vLANs. Switch IP Address 128.104.145.149. In the pSwitch, 4 VLANs are configured;
vLAN1: 192.168.1.0
vLAN2: 128.104.0.0
vLAN3: 172.16.20.0
vLAN4: 10.1.0.0
Service Console is connected in vLAN3 which is 172.16.20.0/24 Network, under vSwitch0 contains 2pNICs & 3 PortGroups. Service Console PortGroup, VMotion PortGroup & vCenter PortGroup. vCenter PortGroup I use it to place the VirtualCenter VM & I will place the VM Firewall.
[b]Requirements:[/b]
I want to restrict the access to the Virtual Center & ESX farm between the 128.104.0.0 & 172.16.20.0 Network.
Currently, I’m accessing the VirtualCenter on 172.16.20.0 Network by adding a Static Route on the Vi-Clients to go via 128.104.145.149 “The pSwitch IP Address”. I can simply reach to the network, but it doesn’t provide me any security on Access-Rules and Port Restrictions.
Once I place the vFirewall in the vCenter PortGroup, and I assigned 2 vNICs one to be for the Production & the other for the vCenter PortGroup. How can I configure the routing between the ISA Firewall “Front-end Firewall” with the vFirewall “Back-end Firewall”????
In a Back-to-Back Firewall Scenario, the Internal Network behind the Front-end Firewall, becomes a [b]DMZ Network[/b], yeah? I have done the following to get it work, but unfortunately, I cant get it work.
I have Setup another Virtual ISA Server to serve the vLAN3 segment &
configured it with 2 vNICs;
External:
IP Address: 128.104.30.30/16
DG:128.104.30.12 -> Internal Address of the Front-end ISA Firewall
DNS:N/A
Internal:
IP Address: 172.16.20.101/24
DG: N/A
DNS: 172.16.20.55
======================================
1. In the Back-end ISA Server, I have created the 128.104.0.0 ~
128.104.255.255 as a DMZ Network.
2. Created a Route Relationship between default Internal Network behind the
Back-end ISA Server and the DMZ Network
3. For testing purposes, I have created a Computer-Set for the ESX Servers &
DMZ Clients & Created Access Rule All Outbound Protocols from Default
Internal Network behind the Back-end ISA Server to DMZ Network. And Added
both elements in this Rule as a Source & Destination
4. In the DMZ Clients. I Remove the 172.16.20.0 mask 255.255.255.0
128.104.145.149 Static Route & Added 172.16.20.0 mask 255.255.255.0
128.104.30.30 “External Interface of the Back-end ISA Server”.
5. Configured the Front-end ISA Server with the Default Internal Network
behind the Back-end ISA Server “172.16.20.0 172.16.20.255″.
6. Configured a Static Route entry in the Front-end ISA Server 172.16.20.0
mask 255.255.255.0 128.104.30.30
DMZ Client configured with:
IP Address: 128.104.100.30
S.M: 16 bit
D.G: 128.104.30.12 “Front-end ISA Server Internal Nic”
As soon as I remove the Static Route 172.16.20.0 mask 255.255.255.0
128.104.145.49 from the DMZ Clients, I lost the connectivity to the
172.16.20.0 Network.
I want to enable the DMZ clients to access the 172.16.20.0 network using Limited Access-Rule. Can I do that?
Many Thanks in advance.
Hussain