flosoft
asked on
Watchguard Firebox II and 700.
HI,
Having a little trouble with configuring a watchguard firebox II, I also have a firebox 700, but see little difference between the 2 and will probably sell off the 700 as it is worth more.
The problem is I have configured the network interfaces on seperate networks - trusted interface - 192.168.0.1 - Optional Interface - 192.168.1.1 the external is set by DHCP. I have configured seperate HTTP Proxies for 2 types of access, limited and full access to the internet (trusted), Set up a Web server and FTP (optional) and this all seems to ok, the problem I am having is getting the optional and trusted interfaces to communicate, the servers on the optional cannot log into or see the network, I temporarily can around this by adding a 2nd Nic in the 3 public servers and assigning them trusted IP's, but I am sure there is a way to allow communications between my trusted and optional interfaces so files can be shared and websites developed etc, I just can't seem to get the 2 to communicate through the firebox.
I would also if possible if other than the mild CPU speed difference the benifits of the FBIII 700 and the Firebox II.
Once this part is done I am on to an exchange sever question I have regarding this network as well.
Thanks in advance.
Having a little trouble with configuring a watchguard firebox II, I also have a firebox 700, but see little difference between the 2 and will probably sell off the 700 as it is worth more.
The problem is I have configured the network interfaces on seperate networks - trusted interface - 192.168.0.1 - Optional Interface - 192.168.1.1 the external is set by DHCP. I have configured seperate HTTP Proxies for 2 types of access, limited and full access to the internet (trusted), Set up a Web server and FTP (optional) and this all seems to ok, the problem I am having is getting the optional and trusted interfaces to communicate, the servers on the optional cannot log into or see the network, I temporarily can around this by adding a 2nd Nic in the 3 public servers and assigning them trusted IP's, but I am sure there is a way to allow communications between my trusted and optional interfaces so files can be shared and websites developed etc, I just can't seem to get the 2 to communicate through the firebox.
I would also if possible if other than the mild CPU speed difference the benifits of the FBIII 700 and the Firebox II.
Once this part is done I am on to an exchange sever question I have regarding this network as well.
Thanks in advance.
For the 1st question :
(why your optionnal cannot communicate whith the trusted while the trusted can communicate with the opt.)
You are using http proxies. This kind of proxy is particular : the outgoing http proxy take the charge of ALL your outgoing tcp connexions, but the incoming is only in charge of the HTTP connexions.
Then outgoing connexions are implicitly allowed, but you got to explicitly allow the incoming connexions. This depend on the type of access you want to allow. (Ask for any specific configuration help).
There is no problems with different IP adress on you interface (Firebox use reverse arp proxy)
If you want to allow file and computer sharing, just add the "SMB" service, and allow communication between you optional servers (based on IP adresses if you can) and the trusted zone.
Note that kind of configuration is not recommended, because it will allow incomming NetBios communication. NetBios is a very sensible protocol, with a lot of flaws, and then it is dangerous to allow incoming Netbios communications.
(why your optionnal cannot communicate whith the trusted while the trusted can communicate with the opt.)
You are using http proxies. This kind of proxy is particular : the outgoing http proxy take the charge of ALL your outgoing tcp connexions, but the incoming is only in charge of the HTTP connexions.
Then outgoing connexions are implicitly allowed, but you got to explicitly allow the incoming connexions. This depend on the type of access you want to allow. (Ask for any specific configuration help).
There is no problems with different IP adress on you interface (Firebox use reverse arp proxy)
If you want to allow file and computer sharing, just add the "SMB" service, and allow communication between you optional servers (based on IP adresses if you can) and the trusted zone.
Note that kind of configuration is not recommended, because it will allow incomming NetBios communication. NetBios is a very sensible protocol, with a lot of flaws, and then it is dangerous to allow incoming Netbios communications.
ASKER
So basically you are saying that there is no way to securely allow communications between the trusted and optional interfaces? This setup is in a small office so all equiptment is close together, if I simply add a second nic to all servers on the optional network, would this be a normal way of doing this? This way I would get communications for file / print and logon via the trusted nics and be able to serve the internet via the optionals as if I do not bridge the 2 nics. I do not believe that someone could take advantage of the trusted nic as they would never see it unless they were on the trusted interface correct? or would there be a way for someone to utilize the trusted nic?
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER