Solved

Quick Watchguard Question

Posted on 2002-05-29
2
413 Views
Last Modified: 2013-11-16
My company has bought a new Watchguard Firebox 3 4500 firewall that I'm setting up an initial config for.

My question is this:

What's better practice when setting up static NAT for inbound connections to web servers, smtp gateways, etc...

1)Add the external addresses to the external aliases tab under network configuration.  Then when configuring a rule, create an instance of a static NAT mapping from the available external address to the internal address.

2)Don't add the external addresses to the external aliases tab under network configuration.  Instead, under NAT, add each of the internal addresses as exceptions to the dynamic NAT rules and add 1-1 static NAT mappings for the addresses in question.
The benefit that I can see of doing this is that it makes rule configuration much easier as you only specify the internal address of the host in question.
0
Comment
Question by:hstiles
2 Comments
 
LVL 1

Accepted Solution

by:
asweinstein earned 100 total points
ID: 7103620
There is no need to setup static 1-1 NAT as stated in option 2, unless you have an application that demands it. For example, if you had multiple Citrix servers behind the firewall, 1-1 NAT for those would be appropriate. This is pretty much true for any situation where you will be hosting several servers using the same port numbers behind the Firebox. For an installation with a single server of each type (web, smtp, etc...) dynamic NAT will work fine. Static 1-1 NAT is also required to support outbound IPSEC connections.
0
 
LVL 13

Author Comment

by:hstiles
ID: 7103693
I should have come back to this question sooner.  I actually worked out during the installation of said Firebox that just a standard inbound NATting rule is sufficient for most situations.

I did have to use some 1-1 NATting as we have a distributed printing application that requires an initial handshake between the document server and host before printing can commence.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CA single sign on 2 75
SSH over http/https 8 111
PDFMate free PDF Merger. Security concern 8 88
Unknown security group 2 60
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
A customer recently asked me about anti-malware and the different deployment options available for his business. Daily news about cyberattacks, zero-day vulnerabilities, and companies that suffered a security breach made him wonder if the endpoint a…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now