[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3665
  • Last Modified:

Multiple WAN IPs on Watchguard Firebox x550e for web servers

I'm running a Watchguard Firebox x550e with 10.2 firmware/manager running.  We have quite a few public IP addresses (30ish) and a few web servers.  None of the web servers are running behind they firewall they are on the open internet.

I want to bring the webservers behind my Firebox and maintain the existing IPs for each server and be able to create rules based on each IP.  Is this possible?  I see the config portion for 1-to-1 NAT but not sure where to go next.
0
jmtoman
Asked:
jmtoman
  • 3
  • 2
  • 2
  • +1
2 Solutions
 
J_G_DCommented:
Configure one of your optional ports for a LAN (I renamed mine DMZ). You will need to connect all your servers to a switch and then the switch to the optional port on the Firebox. Then you do your NATing and your firewall rules on that LAN. NAT one public IP to one Private IP for each server. Then apply your rules to your private IP for each server. Hope this helps
0
 
simon_m_Commented:
You will need to change the servers IPs to an internal new subnet on the DMZ, as explained above.
Under the WAN port configuration you will need to add all of the external IP's you want to use as aliases.

You then add an incoming rule for http ( and/or https if you use that),  from any external ip,  and in the to box you click on NAT and then you should be able to select one of the list of external IP's you've added, and then specify the IP address of a web server on the DMZ that you want the traffic to go through.

When you specify the protocol, you have the choice of an http filter or http proxy.  The proxy is more secure, but potentially has more to configure on it to get everything to work properly.

You will also need some rule(s) to allow you to access the web servers from your internal network as well.
0
 
dpk_walCommented:
If you plan to use 1-1 NAT then do NOT add IP addresses as alias; as the servers are already running with public IP and all you want is to give them firewall protection; you can actually configure your firebox in drop-in mode; with this there would be a minimal configuration change on the servers.
When in drop-in mode all firebox interfaces use single IP and FB does NOT perform NAT for the machines behind it; so here you can have your server behind the firebox sitting on public IP ans still firewall protection.
If you wish FB to do NAT for a private network segment you have option to create a secondary network and then FB would DO NAT for this network [provided the IP range is private or you have added an entry if using non-private (not recommended) IP subnet].

Please note by default all outbound traffic would be allowed [by default service named Outgoing]; but for allowing inbound traffic, when in drop-in mode, you can configure a service as below [eg, HTTP]:
Incoming connections are Enabled and Allowed; from ANY [or specific subnet/host IP]; to public-ip-of-server

If you wish FB to do NAT for all your servers, then you can configure the FB in route mode [gateway mode]; and then configure static NAT or 1-1 NAT and reconfigure IP address gateway on all servers. Please note one of the biggest differences with static vs 1-1 NAT on FB is:
When using 1-1 NAT FB uses public IP for outbound traffic, whereas with static NAT, uses external interface IP instead for outbound traffic [so if you have SMTP server then 1-1 is prefferred].

Please let know if you need more details.

Thank you.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
J_G_DCommented:
If he is already using the Firebox in gateway mode he cannot set it to drop in mode without losing his current settings a Firebox x550 core appliance will only work in one mode at a time not both simultaneously. Yes you are right it would be easier to do it this way for a new box not an existing one.
0
 
jmtomanAuthor Commented:
My Firebox is not in drop in mode.  

I added secondary IP addresses to my external port and setup my eth2 as an optional network.  I then created 1-to-1 NATs for the webservers and added rules into the firewall for my various services.
0
 
jmtomanAuthor Commented:
Sorry if my last post was  clear, but when I created the rules for http i added the nat in there from the secondary IP on my external adapater to my internal IP i set for my web server.
0
 
jmtomanAuthor Commented:
dpk_wal, I'm not sure I understand about the 1-to-1 NATs and SMTP.  I have an exchange server that sits on my trusted network, and uses the original external IP of my FB.  One of the web servers I'm bringing behind the firewall sends outgoing mail only.  Do I need to do something special to ensure the mail from the webserver comes from the "correct" public IP?
0
 
dpk_walCommented:
Well even in an existing setup also; you can always change the mode of the firewall from routed to drop-in or vice-verse; yes you need to take care of policies to configure NAT but there is no LOSS of settings.

Please note if you are using public IP of firebox for your server then you need not worry about anything and can use static NAT [you actually cannot 1-1 NAT in such a case].

When you use an IP address which is not the external interface IP address, you need to consider if remote clients would do reverse DNS lookup [so if your MX record and source IP of the packet do not match the your email would get rejected]; if they are not doing any reverse DNS lookup then you need not worry about 1-1 NAT or static NAT and can use any per your wish/need.

You said you added a secondary network on external; do you have two different subnet of public IP addresses; if no then do not understand the reason why you did this step.

Thank you.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now