Comments on: Running a Virtual Router & Firewall inside VMware ESX with Vyatta http://www.VMwareVideos.com/running-a-virtual-router-firewall-inside-vmware-esx-with-vyatta VMware Videos - Virtualization News and How-To Fri, 03 Sep 2010 23:43:52 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Hussain http://www.VMwareVideos.com/running-a-virtual-router-firewall-inside-vmware-esx-with-vyatta/comment-page-1#comment-13 Hussain Fri, 02 Jan 2009 10:12:46 +0000 http://vmwarevideos.com/?p=110#comment-13 Hello Mr.David, Firstly, let me thank you for your great work that you have done. secondly, I have a question about a vFirewall desiging along with VMware Network Topology as well as across VLANs. I have an ISA Firewall 2004 that configured with 2 pNICs, external & internal. External: 192.168.1.50/24 DG: 192.168.1.1 DNS:N/A Internal: 128.104.30.12/16 DG: N/A DNS: 128.104.30.40 Clients configured with 128.104.30.12 Gateway to access the internet. Also, I have VMware ESX Cluster consists of 4 hosts. Each host with 6 pNICs 2. I have a Routing Switch that configured with 4 vLANs. Switch IP Address 128.104.145.149. In the pSwitch, 4 VLANs are configured; vLAN1: 192.168.1.0 vLAN2: 128.104.0.0 vLAN3: 172.16.20.0 vLAN4: 10.1.0.0 Service Console is connected in vLAN3 which is 172.16.20.0/24 Network, under vSwitch0 contains 2pNICs & 3 PortGroups. Service Console PortGroup, VMotion PortGroup & vCenter PortGroup. vCenter PortGroup I use it to place the VirtualCenter VM & I will place the VM Firewall. [b]Requirements:[/b] I want to restrict the access to the Virtual Center & ESX farm between the 128.104.0.0 & 172.16.20.0 Network. Currently, I'm accessing the VirtualCenter on 172.16.20.0 Network by adding a Static Route on the Vi-Clients to go via 128.104.145.149 "The pSwitch IP Address". I can simply reach to the network, but it doesn't provide me any security on Access-Rules and Port Restrictions. Once I place the vFirewall in the vCenter PortGroup, and I assigned 2 vNICs one to be for the Production & the other for the vCenter PortGroup. How can I configure the routing between the ISA Firewall "Front-end Firewall" with the vFirewall "Back-end Firewall"???? In a Back-to-Back Firewall Scenario, the Internal Network behind the Front-end Firewall, becomes a [b]DMZ Network[/b], yeah? I have done the following to get it work, but unfortunately, I cant get it work. I have Setup another Virtual ISA Server to serve the vLAN3 segment & configured it with 2 vNICs; External: IP Address: 128.104.30.30/16 DG:128.104.30.12 -> Internal Address of the Front-end ISA Firewall DNS:N/A Internal: IP Address: 172.16.20.101/24 DG: N/A DNS: 172.16.20.55 ====================================== 1. In the Back-end ISA Server, I have created the 128.104.0.0 ~ 128.104.255.255 as a DMZ Network. 2. Created a Route Relationship between default Internal Network behind the Back-end ISA Server and the DMZ Network 3. For testing purposes, I have created a Computer-Set for the ESX Servers & DMZ Clients & Created Access Rule All Outbound Protocols from Default Internal Network behind the Back-end ISA Server to DMZ Network. And Added both elements in this Rule as a Source & Destination 4. In the DMZ Clients. I Remove the 172.16.20.0 mask 255.255.255.0 128.104.145.149 Static Route & Added 172.16.20.0 mask 255.255.255.0 128.104.30.30 "External Interface of the Back-end ISA Server". 5. Configured the Front-end ISA Server with the Default Internal Network behind the Back-end ISA Server "172.16.20.0 172.16.20.255". 6. Configured a Static Route entry in the Front-end ISA Server 172.16.20.0 mask 255.255.255.0 128.104.30.30 DMZ Client configured with: IP Address: 128.104.100.30 S.M: 16 bit D.G: 128.104.30.12 "Front-end ISA Server Internal Nic" As soon as I remove the Static Route 172.16.20.0 mask 255.255.255.0 128.104.145.49 from the DMZ Clients, I lost the connectivity to the 172.16.20.0 Network. I want to enable the DMZ clients to access the 172.16.20.0 network using Limited Access-Rule. Can I do that? Many Thanks in advance. Hussain Hello Mr.David,
Firstly, let me thank you for your great work that you have done. secondly, I have a question about a vFirewall desiging along with VMware Network Topology as well as across VLANs.

I have an ISA Firewall 2004 that configured with 2 pNICs, external & internal.

External: 192.168.1.50/24
DG: 192.168.1.1
DNS:N/A

Internal: 128.104.30.12/16
DG: N/A
DNS: 128.104.30.40

Clients configured with 128.104.30.12 Gateway to access the internet.

Also, I have VMware ESX Cluster consists of 4 hosts. Each host with 6 pNICs 2. I have a Routing Switch that configured with 4 vLANs. Switch IP Address 128.104.145.149. In the pSwitch, 4 VLANs are configured;
vLAN1: 192.168.1.0
vLAN2: 128.104.0.0
vLAN3: 172.16.20.0
vLAN4: 10.1.0.0

Service Console is connected in vLAN3 which is 172.16.20.0/24 Network, under vSwitch0 contains 2pNICs & 3 PortGroups. Service Console PortGroup, VMotion PortGroup & vCenter PortGroup. vCenter PortGroup I use it to place the VirtualCenter VM & I will place the VM Firewall.

[b]Requirements:[/b]
I want to restrict the access to the Virtual Center & ESX farm between the 128.104.0.0 & 172.16.20.0 Network.

Currently, I’m accessing the VirtualCenter on 172.16.20.0 Network by adding a Static Route on the Vi-Clients to go via 128.104.145.149 “The pSwitch IP Address”. I can simply reach to the network, but it doesn’t provide me any security on Access-Rules and Port Restrictions.

Once I place the vFirewall in the vCenter PortGroup, and I assigned 2 vNICs one to be for the Production & the other for the vCenter PortGroup. How can I configure the routing between the ISA Firewall “Front-end Firewall” with the vFirewall “Back-end Firewall”????

In a Back-to-Back Firewall Scenario, the Internal Network behind the Front-end Firewall, becomes a [b]DMZ Network[/b], yeah? I have done the following to get it work, but unfortunately, I cant get it work.

I have Setup another Virtual ISA Server to serve the vLAN3 segment &
configured it with 2 vNICs;

External:
IP Address: 128.104.30.30/16
DG:128.104.30.12 -> Internal Address of the Front-end ISA Firewall
DNS:N/A

Internal:
IP Address: 172.16.20.101/24
DG: N/A
DNS: 172.16.20.55

======================================
1. In the Back-end ISA Server, I have created the 128.104.0.0 ~
128.104.255.255 as a DMZ Network.
2. Created a Route Relationship between default Internal Network behind the
Back-end ISA Server and the DMZ Network
3. For testing purposes, I have created a Computer-Set for the ESX Servers &
DMZ Clients & Created Access Rule All Outbound Protocols from Default
Internal Network behind the Back-end ISA Server to DMZ Network. And Added
both elements in this Rule as a Source & Destination
4. In the DMZ Clients. I Remove the 172.16.20.0 mask 255.255.255.0
128.104.145.149 Static Route & Added 172.16.20.0 mask 255.255.255.0
128.104.30.30 “External Interface of the Back-end ISA Server”.
5. Configured the Front-end ISA Server with the Default Internal Network
behind the Back-end ISA Server “172.16.20.0 172.16.20.255″.
6. Configured a Static Route entry in the Front-end ISA Server 172.16.20.0
mask 255.255.255.0 128.104.30.30

DMZ Client configured with:
IP Address: 128.104.100.30
S.M: 16 bit
D.G: 128.104.30.12 “Front-end ISA Server Internal Nic”

As soon as I remove the Static Route 172.16.20.0 mask 255.255.255.0
128.104.145.49 from the DMZ Clients, I lost the connectivity to the
172.16.20.0 Network.

I want to enable the DMZ clients to access the 172.16.20.0 network using Limited Access-Rule. Can I do that?

Many Thanks in advance.
Hussain

]]>