jmtoman
asked on
Multiple WAN IPs on Watchguard Firebox x550e for web servers
I'm running a Watchguard Firebox x550e with 10.2 firmware/manager running. We have quite a few public IP addresses (30ish) and a few web servers. None of the web servers are running behind they firewall they are on the open internet.
I want to bring the webservers behind my Firebox and maintain the existing IPs for each server and be able to create rules based on each IP. Is this possible? I see the config portion for 1-to-1 NAT but not sure where to go next.
I want to bring the webservers behind my Firebox and maintain the existing IPs for each server and be able to create rules based on each IP. Is this possible? I see the config portion for 1-to-1 NAT but not sure where to go next.
Configure one of your optional ports for a LAN (I renamed mine DMZ). You will need to connect all your servers to a switch and then the switch to the optional port on the Firebox. Then you do your NATing and your firewall rules on that LAN. NAT one public IP to one Private IP for each server. Then apply your rules to your private IP for each server. Hope this helps
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If he is already using the Firebox in gateway mode he cannot set it to drop in mode without losing his current settings a Firebox x550 core appliance will only work in one mode at a time not both simultaneously. Yes you are right it would be easier to do it this way for a new box not an existing one.
ASKER
My Firebox is not in drop in mode.
I added secondary IP addresses to my external port and setup my eth2 as an optional network. I then created 1-to-1 NATs for the webservers and added rules into the firewall for my various services.
I added secondary IP addresses to my external port and setup my eth2 as an optional network. I then created 1-to-1 NATs for the webservers and added rules into the firewall for my various services.
ASKER
Sorry if my last post was clear, but when I created the rules for http i added the nat in there from the secondary IP on my external adapater to my internal IP i set for my web server.
ASKER
dpk_wal, I'm not sure I understand about the 1-to-1 NATs and SMTP. I have an exchange server that sits on my trusted network, and uses the original external IP of my FB. One of the web servers I'm bringing behind the firewall sends outgoing mail only. Do I need to do something special to ensure the mail from the webserver comes from the "correct" public IP?
Well even in an existing setup also; you can always change the mode of the firewall from routed to drop-in or vice-verse; yes you need to take care of policies to configure NAT but there is no LOSS of settings.
Please note if you are using public IP of firebox for your server then you need not worry about anything and can use static NAT [you actually cannot 1-1 NAT in such a case].
When you use an IP address which is not the external interface IP address, you need to consider if remote clients would do reverse DNS lookup [so if your MX record and source IP of the packet do not match the your email would get rejected]; if they are not doing any reverse DNS lookup then you need not worry about 1-1 NAT or static NAT and can use any per your wish/need.
You said you added a secondary network on external; do you have two different subnet of public IP addresses; if no then do not understand the reason why you did this step.
Thank you.
Please note if you are using public IP of firebox for your server then you need not worry about anything and can use static NAT [you actually cannot 1-1 NAT in such a case].
When you use an IP address which is not the external interface IP address, you need to consider if remote clients would do reverse DNS lookup [so if your MX record and source IP of the packet do not match the your email would get rejected]; if they are not doing any reverse DNS lookup then you need not worry about 1-1 NAT or static NAT and can use any per your wish/need.
You said you added a secondary network on external; do you have two different subnet of public IP addresses; if no then do not understand the reason why you did this step.
Thank you.