Solved

Quick Watchguard Question

Posted on 2002-05-29
2
437 Views
Last Modified: 2013-11-16
My company has bought a new Watchguard Firebox 3 4500 firewall that I'm setting up an initial config for.

My question is this:

What's better practice when setting up static NAT for inbound connections to web servers, smtp gateways, etc...

1)Add the external addresses to the external aliases tab under network configuration.  Then when configuring a rule, create an instance of a static NAT mapping from the available external address to the internal address.

2)Don't add the external addresses to the external aliases tab under network configuration.  Instead, under NAT, add each of the internal addresses as exceptions to the dynamic NAT rules and add 1-1 static NAT mappings for the addresses in question.
The benefit that I can see of doing this is that it makes rule configuration much easier as you only specify the internal address of the host in question.
0
Comment
Question by:hstiles
2 Comments
 
LVL 1

Accepted Solution

by:
asweinstein earned 100 total points
ID: 7103620
There is no need to setup static 1-1 NAT as stated in option 2, unless you have an application that demands it. For example, if you had multiple Citrix servers behind the firewall, 1-1 NAT for those would be appropriate. This is pretty much true for any situation where you will be hosting several servers using the same port numbers behind the Firebox. For an installation with a single server of each type (web, smtp, etc...) dynamic NAT will work fine. Static 1-1 NAT is also required to support outbound IPSEC connections.
0
 
LVL 13

Author Comment

by:hstiles
ID: 7103693
I should have come back to this question sooner.  I actually worked out during the installation of said Firebox that just a standard inbound NATting rule is sufficient for most situations.

I did have to use some 1-1 NATting as we have a distributed printing application that requires an initial handshake between the document server and host before printing can commence.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question