Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Quick Watchguard Question

Posted on 2002-05-29
2
Medium Priority
?
480 Views
Last Modified: 2013-11-16
My company has bought a new Watchguard Firebox 3 4500 firewall that I'm setting up an initial config for.

My question is this:

What's better practice when setting up static NAT for inbound connections to web servers, smtp gateways, etc...

1)Add the external addresses to the external aliases tab under network configuration.  Then when configuring a rule, create an instance of a static NAT mapping from the available external address to the internal address.

2)Don't add the external addresses to the external aliases tab under network configuration.  Instead, under NAT, add each of the internal addresses as exceptions to the dynamic NAT rules and add 1-1 static NAT mappings for the addresses in question.
The benefit that I can see of doing this is that it makes rule configuration much easier as you only specify the internal address of the host in question.
0
Comment
Question by:hstiles
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 1

Accepted Solution

by:
asweinstein earned 300 total points
ID: 7103620
There is no need to setup static 1-1 NAT as stated in option 2, unless you have an application that demands it. For example, if you had multiple Citrix servers behind the firewall, 1-1 NAT for those would be appropriate. This is pretty much true for any situation where you will be hosting several servers using the same port numbers behind the Firebox. For an installation with a single server of each type (web, smtp, etc...) dynamic NAT will work fine. Static 1-1 NAT is also required to support outbound IPSEC connections.
0
 
LVL 13

Author Comment

by:hstiles
ID: 7103693
I should have come back to this question sooner.  I actually worked out during the installation of said Firebox that just a standard inbound NATting rule is sufficient for most situations.

I did have to use some 1-1 NATting as we have a distributed printing application that requires an initial handshake between the document server and host before printing can commence.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A look at what happened in the Verizon cloud breach.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question