Firebox x750e changing port forwarding

I am changing the a port forwarding rule and create a second new port forwarding rule on a Firebox X750e at one of our offices.  I am not familiar with watchguards.  I simply want to make a rule to forward 5900 to internal address

We have a single external public IP address connected to the WAN port of the firebox.  There are several standard port forwarding rules pointing to 2 servers already.  I attempted to model my new rule off of these and cahnge the existing RDP rule.

I have made the change a dozen times and cannot figure out why it does not work.  for a test I took an existing rule forwarding RDP 3389 to that is working and changed the NAT setting to  Same rule, same settings and it doesn't work!  Change it back and it works with the original .225 server.  Internally that system is up and accessible on both protocols.

I am guessing that there is another place that a NAT setting or the .247 host must be defined, but I can't find it or find it mentioned in any directions.  
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jmlambTechnical Account ManagerCommented:

1-to-1 NAT is configured in Policy Manager under Network, NAT, 1-to-1 NAT tab. You should find your existing public to configuration there.

Hope that gets you going in the right direction.
mathews2001Author Commented:
The 1 to 1 NAT tab is blank.  I understood that the NAT settings under the policy itself take priority over this tab.  I think when you make a policy and use the NAT button it creates a 1 to 1 for you.

I can add a setting there, but it didnt help before.
mathews2001Author Commented:
I tried to add a 1 to 1 NAT and got the following message:

You cannot use an interface IP address (primary or Secondary) of the firebox in your 1 to 1 NAT configuration.

The NAT base was x.x.x.x my external IP and the real base was my internal
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

mathews2001Author Commented:
reversed the NAT base and real base above and it took the setting.  doesnt look right to me though.
As you have only one public IP you cannot use 1-1 NAT.

Please ensure that the new machine is actually listening on the ports you are configuring in the service [you can use netstat -a command to verify the port/protocol].

Also, make sure on the new machine internal IP of WG is the default gateway and there no multiple gateways; finally make sure there is no internal firewall on the new machine which is blocking the traffic.

If you enable logging for the service and post few sanitized logs from traffic when the traffic goes though it would be helpful.

Please update.

Thank you.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mathews2001Author Commented:
The listening pc had the wrong default gateway.  We typically use .1 and this office has .254.  I always tell the guys to check the simple stuff first.  I guess I didn't take my own advice.  What was killing me was the logs showed it forwarding, but not working.  
jmlambTechnical Account ManagerCommented:
You were trying to create it correctly the first time, but was using an IP already assigned to an interface, which won't work. Go ahead and delete that 1-to-1 if you haven't already.

In the inbound RDP policy you're trying to modify, under the Policy tab, what does it say in the To box? You should see public ip --> private ip. The private ip should be Under the Advanced tab, make sure Dynamic NAT is checked. You don't have to setup a 1-to-1 with a single public ip.
jmlambTechnical Account ManagerCommented:
Oops, didn't see this as solved before typing my comment. Disregard.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.