Question

Need soem help with a WatchGuard Firebox x500 and external IPs

Asked by: tsaico

We have a block of external IPs that I would like to start using a second one.

Right now, the external interface has a IP issued to it by the dsl modem issued to us from ATT, and it shows up as the last available IP in our pool (of 6 if it matters).  A who is lookup confirms the IP and also it stated on the status page in the Mananger.  Our internal is working fine also.  While we had the extra IPs, we never used any until our need now.  The issue is we have an internal Exchange server that wants 443 for OWA and HTTPS, activesync, but another one of our applications requires 443 to be redirected to it.

The question is how do I get requests for the second IP in my block on the external side to forward to the correct internal IP?  I see an optional interface, and it looks like I can put in a CIDR style IP, but I am not sure if my math is correct.  I checked it against an online calculator but worried I might have it wrong.

examples:
IP block- x.x.x.160-x.x.x.167, with the external interface already getting x.x.x.166 through DHCP dished out by the modem.  I was thinking x.x.x.160/30 to enter into the optional interface, if that would even work.  Patch a cable from an available port on the modem to the Optional Interface, then redirect 80 and 443 on the optional interface to my internal server that will process these requests.

Any help?  (I origionally called to see if we can renew the support for this, but found the x500 to be at it's end of life in a day.)  Thanks in advance!

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-22 at 16:20:30ID24836531
Tags

Firebox x500 watchGuard External IP

Topics

Watchguard Firewall

,

TCP/IP

Participating Experts
2
Points
250
Comments
15

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Linksys rv082/ADSL/ Watchguard firebox III 1000
    All, I have an exsisting network about 800 nodes the main router/firewall is a Watchguard Firebox III 1000 the firebox is using Nat, public address X.X.X.197 also aliasing a x.x.x.195/ private address 192.168.1.1 and doing port forwarding for Http, Smtp, Vpn etc. All the Dn...
  2. linksys and watchguard firebox prob.
    hey there all...i hope people dont get tired of these question especially since this is what the forum is for..here is my probelm. i currently have a dell 600sc server plus 2 dell workstations using winxp pro all networking together. i have dsl access for both workstations an...
  3. Accessing OWA through a Watchguard Firebox X1000
    Hi, can anyone tell me how to configure a firebox x1000 to allow remote users to connect in to OWA via the Intranet? I have set up SSL on the exchange server and created a service in the firebox using a NAT address from our firewall IP address to the exchange server but i sti...
  4. Polycom and Watchguard Firebox 500
    My company recently purchased a Video Conferencing solution from Polycom, the VSX 7000 camera. After getting it all connected and configured, I made a video conference call to the Polycom help desk to test it out. The connection was successful, and the person at the help des...
  5. Two SSL rules on a Watchguard Firebox 700
    We have a Watchguard Firebox 700 as our firewall and we currently have a rule for port 443 setup to NAT to our Exchange server for OWA. We are putting in a 3rd party server for imaging that has a client portal and it too will need SSL access from the internet. This is a sep...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: ronaldsmittyPosted on 2009-10-22 at 16:53:30ID: 25640188

First do you have Firewire Pro?

 

by: tsaicoPosted on 2009-10-22 at 17:07:19ID: 25640257

Since i do not know what that is, I doubt it.  Or do you mean Fireware?  If that is the case, then I don't think so... I see under the licened features:
Firebox model upgrade
Mobile User VPN
Branch office VPN
SpamScreen License
High-availability License
WebBlocker
and 3 port upgrade

 

by: dpk_walPosted on 2009-10-22 at 23:13:44ID: 25641655

You can different subnet on the external interface itself; or on any other interface if you wish.

Let's say you have 1.1.1.1/24 as subnet which your primary subnet and already working on the existing network [both for incoming and outgoing traffic].

Now you also have 2.2.2.2/28 subnet which you never used before but would like to use now.
1. Add 2.2.2.2/28 as secondary network on external interface [in policy manager, click Network->Configuration->select External, click Configure; select Secondary Tab; click Add]; you can have the server on any physical interface as you wish.
2. You can configure static NAT or 1-1 NAT for the server as you deem necessary [please let know if you need steps for this] using a policy.
3. Here the only prerequisite is that your ISP should properly forward all traffic for 2.2.2.x network to your firebox external interface.

If you do not wish to perform any NAT but would like the new server on 2.2.2.x network then this setup would be different and the steps would be entirely different as well.

Please let know if you need more details.

Thank you.

 

by: tsaicoPosted on 2009-10-22 at 23:31:53ID: 25641721

I think I understand what you are talking about.  

How do I confirm if my ISP is routing traffic to that IP?    They just gave me the Range of x.x.x.160-167, told me the  gateway was 166, network was 160 and bradcast was 167,  Does that mean I can put in any of the other IPs like 161-165 as a secondary network on the external interface?

 

by: dpk_walPosted on 2009-10-23 at 00:04:39ID: 25641873

Continuing with my example; if you ping 2.2.2.2 from any other internet connection and the traffic is forwarded to your firebox; in traffic monitor you would see denies; this would confirm that the ISP is forwarding traffic correctly.

To make sure things are pretty correct, you can also try telnet on different port [can be random too] and also can use some tool like nmap and do a port/ip sweep. For all attempts you should see denies in traffic monitor.

Thank you.

 

by: tsaicoPosted on 2009-10-23 at 09:35:45ID: 25646029

But if the other IP that I want to add isn't another network, it is just another IP in my block.  Should I be looking at it in a different point of view? Or is the term secondary network just referencing another IP?

If want the second external IP to be x.x.x.162, do I enter the secondary network as x.x.x.162/30?

Then for the static NAT policy, how does the Firebox know to route 443 and 80 requests from the external IP x.x.x.162 to my internal machine and not get it mixed up with my other external IP (x.x.x.166) static nat policies?  The drop down on the static nat menu only shows the interface names, or will the drop down have two external entries in the drop down menu?.  

Thanks again in advance.  I haven't work with a firebox before and hte logic seems a little different on them.  The last hefty firewall I dealt with was a symantec and to do this you would just enter a static IP into the interface config from your pool.  Then write rules with this new interface name instead.

 

by: dpk_walPosted on 2009-10-23 at 10:50:08ID: 25646684

Looks like you are using version 7.x of WG software; I was listing steps as per 8.x or higher version.

The steps would be different for you. Sorry for confusion I thought the IP address subnets are different; if the IP addresses are in the same subnet as external interface IP, then you would Aliases instead.

Once added, when you click Add, NAT, the IP address and External would start appearing.

Consider this example, 6 total IP address from ISP, 1.1.1.1-1.1.1.6; 1.1.1.7 is default gateway, 1.1.1.1 is assigned to external interface and the mask is 29.
Now to use 1.1.1.2 and .3 for different servers and use static NAT, then add IP 1.1.1.2 and 1.1.1.3 as aliases on external interface.

One thing to note here is; by default if you configure static NAT, the oubound traffic from server takes the IP of the external interface rather than the public IP with which it came in; if you wish to use same IP, then use 1-1 NAT instead.
For eg, if you host SMTP server, many servers would reject email if they perform reverse DNS lookup; if your external IP address and MX addresses are different.
In such case you should use 1-1 NAT.

If you have addresses which are in different subnet than the IP of your external interface then we would use secondary tab.

Please let know if you need more details.

Thank you.

 

by: tsaicoPosted on 2009-10-23 at 23:29:10ID: 25651064

Uh oh, looks like I have started a problem that is bigger than not having an IP!  Now it is constantly rebooting.  I don't even have time to log into it vefore it reboots again, how do I get it to stop this behavior?

 

by: dpk_walPosted on 2009-10-24 at 00:55:13ID: 25651224

Did this happen after you made some change; take the unit off the network [disconnect the untrust and trust cables]; connect a cross-over cable from laptop (with WG software installed) to the trust interface.
Save the old config back OR check if the device boots fine now and if you can connect through management software.

If nothing, reset the unit to factory default and then load the last good known config to the unit.

To reset to factory defaults, power down the unit; press the UP arrow; power on the unit; keep pressing the UP arrow key till the LCD display shows the Firebox is running in safe mode. When the Firebox runs in safe mode, it is running in factory-default mode. In factory-default mode, the Firebox trusted interface is set to 10.0.1.1.
Open policy manager and load the configuration which you wish to save to firebox [here you have option to reconfigure firebox from scratch if you wish so!].
Finally select File > Save > To Firebox. Save your configuration to the Firebox at IP address 10.0.1.1, with the administrative passphrase admin.
After the Firebox restarts with its new configuration, change the passphrases for the Firebox. Select File > Change Passphrases to set new passphrases.

Please implement and update.

Thank you.

 

by: dpk_walPosted on 2009-10-24 at 01:00:20ID: 25651236

One CORRECTION; as you are running version 7.x; the default IP of the unit would be 192.168.253.1 and wg would be the passphrase instead and you would be prompted to set new passphrases upon save.

Also, change the laptop IP to the same subnet 192.168.253.x/24 if you reset the unit to factory defaults, before loading image from the laptop policy manager.

Thank you.

 

by: tsaicoPosted on 2009-10-26 at 00:01:42ID: 25660077

Well, now it seems the problems are not related to the network changes I made.  If I hard shut down the unit, it will boot fine back into whatever config I loaded, new or old.  If I do a soft reboot, through the policy manager it will constantly crash and reboot itself and then just get stuck in  the endless cycle.  I can then just flip the switch, and then after a couple of times, it boots normal...  have you ever seen any behavior like this?  Is this a sign it is starting to fail?  I hate blaming hardware for my headaches, but this one seems to be an actual problem...  I also reset it to factory, saved that to the firebox and then saw the same behvior with almost nothing configured other than the trusted interface.

 

by: dpk_walPosted on 2009-10-26 at 00:35:59ID: 25660211

Please see answer as attachment; for some reason unable to SUBMIT answer.

 

by: tsaicoPosted on 2009-10-26 at 13:11:14ID: 25666239

I reset to factory defaults, and then only configured the Trusted Interface to get it to talk to my normal network and workstation.  I then hit reboot, once I confirmed connecting to it from there, and it got stuck in rebooting over and over again.  There were no other changes made.  It was stuck until I cycled the switch in the back.

 

by: dpk_walPosted on 2009-10-26 at 20:33:02ID: 25668949

It does look like a hardware problem; please contact WG for replacement or trade-in program information as applicable.

 

by: tsaicoPosted on 2009-11-10 at 15:11:35ID: 31644807

The hardware turned out to be defective.  We ended up replacing it with an equivalent sonicwall and the unit is working as expected.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...