Hi everyone,
Configuring the vShield Edge might be a bit tricky if you have never seen the interface before, so here are some sample configurations for different situations that might fit your needs. Please note that you will need both NAT & firewall rules in most cases, i.e adding a NAT-rule will not automatically allow the traffic if no firewall rule has been applied to allow this. To be able to begin with the configuration do the following: 1. Login to your Organization as an Organization Administrator. 2. Go to the Administration tab, double click your VDC name to open it up. 3. Go to the Edge Gateways tab. 4. Right-click the Edge gateway and choose Edge Gateway Services.
NAT (Network Address Translation) examples: Make your LAN-network NAT to your external IP for external communication
To be able to communicate from your LAN network to the internet, you need to be able to translate your local LAN-network to use your external IP for traffic going towards WAN networks. 1. Under the NAT-tab, click "Add SNAT".
2. Make sure you Apply this rule on IX-STO1 / IX-STO2, this is the external interface of your edge gateway. 3. Fill in your LAN-network under Original IP together with i.e /24 (for 255.255.255.0 subnet mask) or similar that fits your LAN-configuration. Choose "any" for original port. 4. Fill in your external IP under Translated IP, choose "any" for translated port and "any" for protocol. 5. Press OK, and then in the main window OK again, you should now see the edge work to apply the new configuration. Done!
Make your services accessible from the internet In this example we configure the HTTP service (port 80) to be accessible from the internet. 1. Under the NAT-tab, click "Add DNAT".
2. Apply your rule on the LAN-network (i.e Demo_net). In the Original (External) IP/range set your External IP-address. The HTTP-service uses port 80, so in this case we have original port 80. Set the internal IP-address you want the NAT-rule to translate towards (i.e 10.10.199.5), and also the translated port should now be 80, as the HTTP-server is listening for requests on port 80.
In this case when clients trying to reach the HTTP-server, they are connecting towards "http://91.236.207.84". The NAT-rule sees the request coming for port 80, and translates it to the HTTP-server on your LAN-network. Press OK, and in the main window OK again. The edge is now applying the configuration. Done!
Sample configuration overview for RDP & HTTP service. Add port translations (PAT) to increase the security for vulnerable services Opening up services to be reached from the internet always adds a bit of vulnerability to the server, some services are more frequent targets for hacking / malwares etc. If you have services exposed to the internet that does not really require the client to connect to the actual service port you could do a Port Address Translation to increase the security. In this example we change the original port from the default RDP-port (3389) to 9876 to increase the security.
This means that I will be able to reach the LAN-server 10.10.199.5 when connecting to 91.236.207.84:9876. The vShield Edge sees the connection towards this ports and translates it to the server IP and port 3389, which the server is already listening on.
This will make it harder for attackers who is in almost all cases using the default ports when trying to find vulnerabilities in your system.
Firewall rules examples: Note that the default action for the firewall is to deny traffic if not allowed in the firewall rules:
Allow your LAN-network to reach the internet 1. Go to the firewall tab -> Press Add
2. Specify a name, and the source as "internal" or your LAN IP-network i.e "192.168.1.0/24". Under destination use external as our destination in this case are external networks, and specify the port & protocol as "any" to allow all types of traffic. Press OK and then OK again in the main window. The edge is now applying the configuration. Done!
Sample overview. Allow your services through the firewall In this case we want to allow the traffic for the services that should be reachable from WAN-networks towards our LAN-server. 1. Go to the firewall tab -> Press Add
2. Set a name. Set the source, in this case it is external as the communication will come from external networks. The source port is "any", this is because the client connecting to your HTTP-server will receive a random source-port when going for your destination port 80. The destination for the client is your external IP, and the destination port is the designated port for the services you're configuring (i.e 80 for HTTP). Press OK and then OK again in the main window. The edge is now applying the configuration.
Overview for the configuration. Remember that you will also need a NAT-rule in this case as after the traffic has been permitted by the firewall, you will need a NAT-rule that translates to the server IP & port on the inside LAN-network.