We help IT Professionals succeed at work.

Watchguard FireBox Public IP forward

corpdsinc
corpdsinc asked
on
5,129 Views
Last Modified: 2013-11-16
Watchgaurd Firebox Experts,
I have a customer with a Firebox X500.  They have an 10mb internet circuit handed off to the firebox via ethernet into the Public/External port.  The device is performing NAT for the private network behind the firewall on the Private/Trusted port.  They also have a block of IP's being routed to the ethernet address of the Public/External Port.   I need to place a device behind the firewall that will need a public IP address.   My question is if I assign one of my public addresses to the device behind the private port it won't work....as it is a NAT'd network.   How is this done on a firebox... I see an 'optional port' on the firebox as well as a 'secondary network' setting in the Firebox System Manger.... any help would be greatly apreciated.

External IP  207.250.65.2/30
Block of IPs' 209.234164.50/28
Private : 192.168.0.0 /24
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
There are few ways to accomplish what you want:
1. Configure FB in routed or gateway mode and then configure WG to do NAT; configure the machine for 1-1 NAT where all the conversation would be translated to the specific public IP.

2. If for some reason you must have public IP on the machine, then configure FB in drop-in mode all interfaces of WG would have one single public IP; configure the machine with one of the other public IPs. For other machines on the network you can implement NAT by creating a secondary network on trusted interface as 192.168.0.0/24.

Please implement and update; let me know if you need more details.

Thank you.

Author

Commented:
DPK WaL,
Thanks for the response.  For more info I am trying to install a Cisco Concentrator 3000 into this network.  It worked when they had a t1 circuit going into a cisco router.  I then split the connection from this cisco to the concentrator and the WG and configured each with a public IP address.  This worked great for my situation.

This site now has ethernet 10mb fibre optic from time warner comming in via ethernet.   It is plugging directionly into the public port of the WG.   I am trying to find the best way to assign both my WG and Concentrator a Public address.  They have a /28 of public IP's and I need then to port forward certain ports to internal machines...but I also need to assign one of these IP's to the FB.  
CERTIFIED EXPERT
Top Expert 2007

Commented:
If you would put a concentrator behind WG I think ideally you would not want any NAT to be done for it; and on need basis you can either permit specific traffic or entire traffic.

So, in this case I would suggest configuring FB in drop-in mode and then configure policies to allow traffic to concentrator; for your private network if it is behind WG you can make secondary network on the trusted interface; even if you have a router behind WG on a private network you can implement secondary trusted network and then WG would do NAT for that network.

Thank you.

Author

Commented:
So, i when I tick the box for 'Configure Interfaces in Drop in Mode' the trusted interface IP address field disapears.  Does this mean there will not be an internal IP address for the FB any longer?  I ask because i have o.o.o.o o.o.o.o routes to 192.168.0.254 (the current wg ip) for all internet traffic on my internal network cisco routers (for remote office point to points etc).
CERTIFIED EXPERT
Top Expert 2007

Commented:
You are right, moment you would do that all the three interfaces of WG would have one single IP address; but as I said earlier you have an option to select Secondary network and define a secondary network on the trusted interface with the current IP subnet scheme.

When you save the configuration FB would reboot and then it would behave normally in terms of network behind it; just that your concentrator would have a public IP behind WG with NAT.

Thank you.

Author

Commented:
Sorry to keep bothering you.  So in order to get my FB to still have 192.168.0.254 as an IP (for my internet network)  I would add 192.168.0.254/24 as a secondary network to my 'trusted' interface?

After drop in is checked the FB will have an IP of
207.250.65.2/30

I will add a secondary network of 192.168.0.254/24


Then I can assign a public IP to my Concentrator?  Also, will my existing policies still work?  I have a lot of port forwarding via Aliases (from my /28)to the WAN IP.  IE: 209.234.164.49 ->192.168.0.18 TCP:25

CERTIFIED EXPERT
Top Expert 2007

Commented:
No problem, yes everything work as normal including policies and as if you never made any change. Just make sure that the IP address you assign to Concentrator is not used anywhere else (in External aliases or 1-1 NAT rules) otherwise this would create a conflict and few things might not work.
Also, make sure that if you have DMZ or any other networks defined, you add them as secondary network on the respective interface.

Thank you.

Author

Commented:
Outstanding.  I will impliment this in the morning.  
One more thing.  On my concentrator I am using the default gateway of the FB External address correct.

IE

209.234164.57
255.225.255.240
gtw: 207.250.65.2

This is correct ...right?
CERTIFIED EXPERT
Top Expert 2007

Commented:
Yes, you can either use the FB public IP as default gateway or you can use the gateway IP of your ISP, does not matter as both the devices are on the same subnet and ultimately getting routed through the ISP's router! :)

Author

Commented:
Great!  I will get this done as soon as I get into that office.  So the concentrator will basically be reachable from the internet once I assign it an IP....or do I need to set a policy?  Last quesiton I swear.
CERTIFIED EXPERT
Top Expert 2007

Commented:
You would need a policy for any incoming traffic originated from internet for concentrator; for any outbound traffic the default outgoing service will take care of the things (provided you have not deleted it)! :)

Author

Commented:
So i added the ANY packet filter to the firebox config with the rule of :  From 'firebox'  To: 209.234.164.57.

I will assign the concentrator 209.234.164.57 in the morning.  Will let you know what happens.

CERTIFIED EXPERT
Top Expert 2007

Commented:
Sure, I would suggest you to hide at least two of the octets of the public IP whenever posting here or on any forum for security pruposes.

Thank you.

Author

Commented:
Sadly it did not work.  Once I assigned the concentrator the public ip and FW public as the gateway it lost connection to the internet.  I was unable to ping hosts from the concentrator...including the default gateway for the concentrator.  

Could it be because the concentrator is plugged into the same switch that all of the nated pcs are on (via the trusted port on the fb)

CERTIFIED EXPERT
Top Expert 2007

Commented:
No the port would not matter, you can plug concentrator to any of the ports of FB. Can you do some basic tests for me:
1. ping FW public IP from concentrator and see if you get replies; if yes, then
2. ping the ISP router (gateway on FW) and if you get rpelies,
3. ping anything on the internet and see results.

Please make sure that you have not left the specific public IP in 1-1 NAT settings, there no 1-1 NAT exception and the IP is also not listed in external alises, can you double check this for me and respond.

Thank you.

Author

Commented:
when I assign the Concentrator  209.234164.57 \ 255.225.255.240 \ gtw: 207.250.65.2  I cannot ping the FB public IP, the ISP ip or the internet
CERTIFIED EXPERT
Top Expert 2007

Commented:
>> when I assign the Concentrator  209.234164.57 \ 255.225.255.240 \ gtw: 207.250.65.2
Why is the IP and gateway in two different subnets; please note the concentrator public IP must be in the same subnet as the external IP address of FB. Put it in the same subnet and things would work.

Thank you.

Author

Commented:
I tried 209.234164.57 \ 255.225.255.240 \ gtw: 209.234.164.49 (first usable IP) but it still did not work.  I will give it another shot though.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Are you sure that the IP is not used anywhere in the WG configuration and that you have added a policy to allow traffic out and back in. Also, can you ping the WG public IP from concentrator.

Author

Commented:
I am sur ethe ip i used is not used anywhere else in the fb.  Maybe I am allowing the traffic wrong.  Should I be doing this with a customer policy?

Author

Commented:
Still no luck.  I am pulling my hair out.
Here is a recap of what I have:

WG in Drop In Mode
IP 207.250.65.2/30
gtw: 207.250.65.1
No Aliases on the WG
Secondary Network of 192.168.0.254/24
209.234.164.49/28 routed to WG

Policys in place fwd traffic (web, smtp etc) using this block ie 209.234.164.49 to 192.168.0.17 which work.

However, when I assign an public ip of 209.234.164.57 (which is not being used on the FB) with the gateway of 209.234.164.49  things don't work.  I am to ping 209.234.164.57 (the assigned concetrator IP) from the concentrator..but I cannot ping the gateway of 209.234.164.49 or the int ip of 207.250.65.2 or the ISP's side 207.250.65.1

Could it be because my /28 ip block gateway of 209.234.164.49 is being used in a FB policy?

Please help :)

CERTIFIED EXPERT
Top Expert 2007

Commented:
The reason this is not working is because WG does not see the IP behind it, I'll try explaining, your WG external IP is: 207.250.65.2/30; which means that there are only two IP address allowed, .2 already assigned to FB external IP and .1 assigned to your ISP's router. Further .0 is the subnet IP and .4 is the broadcast IP.

With the IP 209.234.164.49/28 FB is expecting the traffic to generate from the outside world, or external interface and hence the things are not working.

There are some possible solutions:
1. Ask your ISP and get more IP addresses assigned to your for the 207.250.65.0/30 subnet and then the problem would not be observed. -- Bad solution as they might not have more IPs or they might charge you more.

2. Assign a secondary network on External Interface with IP 209.234.164.49/28; and then the concentrator would get IP for eg, .50 and then the things would work. -- Solution not elegant as you would be wasting one IP address of the available pool. But other than that things are fine. In this case you might even revert the FB from drop-in mode to routed mode as that would not make a difference now.

3. Change external IP address on WG from 207.250.65.1/30 to 209.234.164.49/28; then give concentrator .50 and things would work. -- Bad solution as it might require change of your servers name records, like, A, MX, PTR etc. There is one benefit, if your not using  207.250.65.0/30 for SMTP purposes then you can configure inbound policies as you have done for 209.234.164.x/28 subnet; the IP traffic from ISP would hit the FB and because there is a policy allowing inbound traffic the traffic would come in. Problem is, the outbound traffic would not have the same source IP address, I think your ISP might have implemented some address translation to handle that situation.

Please advice if you need more details.

Thank you.

Author

Commented:
Ok.  So it looks like option number 2 is the best for my network.  I made these changes and it looks like it would work, however when I assign 209.234.164.49/28 as a secondary network on the external interface my blackberry enterprise server stops working on the exchange server.  I am guess thing is because I have a 1 to 1 nat for the public IP address (which is in the 209.234.164/28 range) to the internal IP of the exchange/bes server.  

sigh.
CERTIFIED EXPERT
Top Expert 2007

Commented:
\If the settings are correct and 1-1 NAT exceptions are defined then 1-1 NAT should work; as a simple test open any web site from the exchange server which shows public IP, eg, whatismyip.com; if you are getting the expected public IP in the 209.234.164.x/28 range then things would be good. Please note as you have assigned 209.234.164.49/28 address to WG external IP; this IP cannot be used for 1-1 NAT translations, if you specifically need .49; it would be good to assign FB some other IP in the /28 pool.

Please check and update.

Thank you.

Author

Commented:
yeah, www.whatismyip.com from the exchange server shows the /28 address i assigned it....however BES does not work still.

I think i am going to bring the 10mb ethernet into a router than send the /28 to the fb and to my concentrator rather than have the FB do it all.  I will let you know what happens.
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
thanks for the help.  we got a pix.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.