Solved

Quick Watchguard Question

Posted on 2002-05-29
2
423 Views
Last Modified: 2013-11-16
My company has bought a new Watchguard Firebox 3 4500 firewall that I'm setting up an initial config for.

My question is this:

What's better practice when setting up static NAT for inbound connections to web servers, smtp gateways, etc...

1)Add the external addresses to the external aliases tab under network configuration.  Then when configuring a rule, create an instance of a static NAT mapping from the available external address to the internal address.

2)Don't add the external addresses to the external aliases tab under network configuration.  Instead, under NAT, add each of the internal addresses as exceptions to the dynamic NAT rules and add 1-1 static NAT mappings for the addresses in question.
The benefit that I can see of doing this is that it makes rule configuration much easier as you only specify the internal address of the host in question.
0
Comment
Question by:hstiles
2 Comments
 
LVL 1

Accepted Solution

by:
asweinstein earned 100 total points
ID: 7103620
There is no need to setup static 1-1 NAT as stated in option 2, unless you have an application that demands it. For example, if you had multiple Citrix servers behind the firewall, 1-1 NAT for those would be appropriate. This is pretty much true for any situation where you will be hosting several servers using the same port numbers behind the Firebox. For an installation with a single server of each type (web, smtp, etc...) dynamic NAT will work fine. Static 1-1 NAT is also required to support outbound IPSEC connections.
0
 
LVL 13

Author Comment

by:hstiles
ID: 7103693
I should have come back to this question sooner.  I actually worked out during the installation of said Firebox that just a standard inbound NATting rule is sufficient for most situations.

I did have to use some 1-1 NATting as we have a distributed printing application that requires an initial handshake between the document server and host before printing can commence.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question