Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Quick Watchguard Question

Posted on 2002-05-29
2
Medium Priority
?
488 Views
Last Modified: 2013-11-16
My company has bought a new Watchguard Firebox 3 4500 firewall that I'm setting up an initial config for.

My question is this:

What's better practice when setting up static NAT for inbound connections to web servers, smtp gateways, etc...

1)Add the external addresses to the external aliases tab under network configuration.  Then when configuring a rule, create an instance of a static NAT mapping from the available external address to the internal address.

2)Don't add the external addresses to the external aliases tab under network configuration.  Instead, under NAT, add each of the internal addresses as exceptions to the dynamic NAT rules and add 1-1 static NAT mappings for the addresses in question.
The benefit that I can see of doing this is that it makes rule configuration much easier as you only specify the internal address of the host in question.
0
Comment
Question by:hstiles
2 Comments
 
LVL 1

Accepted Solution

by:
asweinstein earned 300 total points
ID: 7103620
There is no need to setup static 1-1 NAT as stated in option 2, unless you have an application that demands it. For example, if you had multiple Citrix servers behind the firewall, 1-1 NAT for those would be appropriate. This is pretty much true for any situation where you will be hosting several servers using the same port numbers behind the Firebox. For an installation with a single server of each type (web, smtp, etc...) dynamic NAT will work fine. Static 1-1 NAT is also required to support outbound IPSEC connections.
0
 
LVL 13

Author Comment

by:hstiles
ID: 7103693
I should have come back to this question sooner.  I actually worked out during the installation of said Firebox that just a standard inbound NATting rule is sufficient for most situations.

I did have to use some 1-1 NATting as we have a distributed printing application that requires an initial handshake between the document server and host before printing can commence.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question