Accessing a network behind a Watchguard X700 Firebox firewall using VNC

Posted on 2006-04-06
Last Modified: 2013-12-07
I have seen various posts on this but they are for different firebox and the directions don't work with the software we are using (Watchguard System Manager version 8)

We want to be able to use VNC enterprise edition to access one, possibly more, PCs on our network.

As I understand it, this involves setting up packet forwarding within the NAT configuration

If anyone knows how to do this, please let us know :-)

Question by:Paul197466
    LVL 17

    Expert Comment

    You're doing NAT configuration? You'll definitely have to port forward, but also you'll have to open the appropriate ports (5800 if you're using via browser, 5900 using the VNC viewer). But your life would probably be a lot easier if you had a network with public IPs.
    LVL 2

    Expert Comment

    Open the System Manager
    Open the Policy Manager
    Click on Edit -> Add Service
    Click New
    Type in VNC as Name
    Click Add
    For Port: 5900
    To: 5900
    Once created, Double click that and Click on Incoming...Change to Enabled and Allowed
    In the From: Click Add
    Add Other and choose appropriate...Host or whatever.
    In the To: Click Add
    Click NAT...Put the external and internal in.  Save to Firebox and that should have you set.

    Let me know if you need any further help.
    LVL 4

    Expert Comment

    if you need to use multiple pc's you can forward the external port of the firewall 5901, 5902 and so on to internal port 5900 on the specified machine you would like to connect.  Example

    firewall:5901 --> inside1:5900
    firewall:5902 --> inside2:5901

    where "firewall" is the firewall IP and "insideX" is the inside pc's ip address.

    Author Comment

    OK, because I could not get the NAT solution working I have added an additional adapter to the machine.

    I have configured this adapter to have a valid external Class C IP address.

    I have connected this adapter to the optional interface on the Firebox

    I have created an alias for this adapter in the Firebox configuration

    I have created a new service called TCP that that 5900 and 5800 ports open for tcp (just tcp not udp - is that right?)

    I have created an instance of this service and set it to be "Enabaled and Allowed" for incoming from ANY to the new alias for the new adapter and outgoing from this alias to Any

    However, when I try to connect from a VNC client on another network to the external ip address for the new adapter, it fails to connect

    Have I missed something?
    LVL 4

    Accepted Solution

    When I have worked on the fireboxes, You have to have the interfaces in transparent mode to be able to setup public IP's behind the firewall, or routing for those IP's...  That said, when I have worked on them, you either have to setup the entire firewall (ie both internal interfaces) in transparent mode, I don't think you can setup one or the other.

    I suspect the most likely problem is the source port setting on the rules you are creating...  When you configure a rule, you have to set options for source and destination IP, and source and destination port.  Many people miss the destination port setting.  I usually set the source port to "Ignore".  Give that  a shot and let me know what you find.


    Author Comment


    I was setting the Client Port drop down to Port rather than leaving it as client

    Many thanks
    LVL 4

    Expert Comment

    No problem...  FYI when you set it to port, it requires the source port to be the same as the destination port.  Since most protocols use a source port different from the destination port, that naturally doesn't work.  I can't count the number of times I've done the very same thing.  Glad you were able to get your rules going.


    Author Comment

    Sorry, i know this is a bit cheeky since I have already accepted the answer, but I did run into a problem with this solution.

    The problem is that the VNC service I create is meant to only affect the filtering of the optional interface but I find that it affects the trusted interface too.

    If you have any idea not to force it to only affect the optional interface I would really appreciate it.
    LVL 4

    Expert Comment

    I'm not near a system where I can look at this specifically, and won't be for a few weeks.  But to my recolection there are a few criteria for making the rules: source, destination, source port, destination port, layer 4 protocol and layer 5 protocol.  All of that said, you should be able to set the source to either be an IP address or an interface, likewise the destination can be an IP address or an interface.  Since you are using NAT or PAT or any of the other terms used to make a private service available publicly, you should be specifiying an internal IP address, which should negate the need to specify an acceptable interface as that would be assumed.

    To summarize, I think you can specify an IP Address, or an Interface.  But I don't think you can specify both
    (ie --> interface private)  I think it is an either/or.

    That said, for the source, you could specify public interface, and that would disalow the traffic to originate from the optional interface.

    Or perhaps I have misunderstood you question.  I am certainly happy to help you complete this issue.  Please let me know if this has helped, or if you have any further questions.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Suggested Solutions

    Title # Comments Views Activity
    Thomson router 3 41
    PCI documentation 3 33
    CCTV Installation - Networking 3 19
    Cisco ASA 5506 - port forwarding not working 10 30
    Let’s list some of the technologies that enable smooth teleworking. 
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    9 Experts available now in Live!

    Get 1:1 Help Now