Wednesday, October 2, 2013

Adding Juniper SRX external firewall in Cloudstack

                        Configure Juniper SRX in cloudstack


Before adding SRX into cloudstack there are two steps:

1. Preconfigure the SRX
2. Add SRX into cloudstack

Preconfigure SRX


Below explained physical device external firewall SRX configuration. This configuration has to done by the admin. This configuration is not part of the cloudstack orchestration job.

1.  Configure the system 

 command to configure xnm-clear-text :
#set system services xnm-clear-text

Configure the name server:
set system name-server 10.103.128.16


set system time-zone Asia/Calcutta
set system root-authentication encrypted-password "$1$ucpHjRfH$dNkhOuzKXJxrpAtewvTu.1"
set system name-server 10.103.128.16
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services dns
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0


System services configuration:
2.  Configure the interfaces

Choose three interfaces in the srx device. Example took fe-0/0/0, fe-0/0/1 and fe-0/0/4

Three interfaces needs to be configure.
1. Management interface    - fe-0/0/0
2. Private/Guest interface   - fe-0/0/1
3. Public Interface              - fe-0/0/4.52 where 52 is the public VLAN

Commands to configure interfaces:


set interfaces fe-0/0/0 description "Management Interface"
set interfaces fe-0/0/0 unit 0 family inet address 10.147.40.3/23
set interfaces fe-0/0/1 description "Private network"
set interfaces fe-0/0/1 vlan-tagging
set interfaces fe-0/0/4 description "Public Network"
set interfaces fe-0/0/4 vlan-tagging
set interfaces fe-0/0/4 unit 52 vlan-id 52
set interfaces fe-0/0/4 unit 52 family inet sampling input
set interfaces fe-0/0/4 unit 52 family inet sampling output
set interfaces fe-0/0/4 unit 52 family inet address 10.147.52.3/24


Interface config:

3. Create zones

 3.1 Create trust zone for guest network
3.2 Create untrust zone for public network
3.3 Add management interface trust zone and public interface to untrust zone.

Commands to Configuration zones:

root# show security zones | display set
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/0.0
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/4.52

Zones Config:
4. Allow traffic from trust zone to trust zone

 Commands to configure security policy:

set security policies from-zone trust to-zone trust policy accept-all match source-address any
set security policies from-zone trust to-zone trust policy accept-all match destination-address any
set security policies from-zone trust to-zone trust policy accept-all match application any
set security policies from-zone trust to-zone trust policy accept-all then permit

5.  Add the specific routes to differentiate private and public traffic.

In the below routes 10.147.40.0, 10.146.0.0, 10.147.59.0 are the management network cidrs.
There is default route to public network gateway.

Command to configure routes:

set routing-options static route 10.147.40.0/23 next-hop 10.147.40.1
set routing-options static route 10.147.40.0/23 install
set routing-options static route 10.146.0.0/24 next-hop 10.147.40.1
set routing-options static route 10.146.0.0/24 install
set routing-options static route 0.0.0.0/0 next-hop 10.147.52.1
set routing-options static route 0.0.0.0/0 install
set routing-options static route 10.147.59.0/24 next-hop 10.147.40.1
set routing-options static route 10.147.59.0/24 install


Routes config:

Add SRX into cloudstack


1. After configuring the SRX into cloudstack make sure that the SRX is management ip address is reachable from the management server.

2.  Add the SRX in cloudstack.



3. Enable the SRX.

4. Create network offering to use the physical external firewall device SRX.
Dhcp: Virtual Router
Dns:    Virtual Router
Firewall: Juniper SRX
Source NAT: Juniper SRX
Static NAT: Juniper SRX
Port Forwarding: Juniper SRX






5. Deploy VM using the offering created for SRX.


Configure source NAT rule on SRX

In network offering selected 'Supported Source NAT type': per zone, So you need to configure source
nat manually on the SRX.

This configuration is required for VM to reach public network

Commands to configure source NAT:


set security nat source pool 10-147-52-3 address 10.147.52.3/32
set security nat source rule-set trust from zone trust
set security nat source rule-set trust to zone untrust
set security nat source rule-set trust rule demo match source-address 10.0.32.0/20
set security nat source rule-set trust rule demo then source-nat pool 10-147-52-3

Source NAT configuration:


Accessing public network after configuring Source NAT rule on SRX:



Cloudstack Static NAT rule on aquired ip of srxnetwork:




Set Firewall rule to on the public ip of srx network:


Accessing VM using the public ip and above configured rules:



Cloudstack Configuration files:

The config file included the pre configuration,  config after vm deployment and config after static nat, fw configuration

https://www.dropbox.com/sh/4zhgdpj7q0rc2d8/5g-cNyWA1i

Posted by at

3 comments:

  1. WannaBeAscendingMay 14, 2014 at 8:00 PM

    Thank you for this document. It is very helpful. This is really hard to follow without a over view of your network configuration.

    ReplyDelete
  2. UnknownJune 11, 2014 at 11:14 PM

    Hi, Thank you or sharing this information.
    I have 1 problem, i do not see the option to add SRX
    Is there a specific plugin in need to beable to make SRX option available ?
    Please advise
    Thank You

    ReplyDelete
  3. 零星细雨April 13, 2015 at 7:59 PM

    Thanks a lot :)

    ReplyDelete

Subscribe to: Post Comments (Atom)