Solved

Watchguard Firebox X550e routing between networks

Posted on 2010-11-23
11
2,302 Views
Last Modified: 2013-11-16
I have a new client that is a state historical society museum.The Firebox is running Fireware v.9.0, which I know is quite out of date, but I'm a little leery of updating it at this point, since it's a rather old router to begin with. Maybe someone has some advice about that as well as my main question below.  I'm relatively new to working with this hardware, and I'm working with the following configuration:

Network #1 - internal "Trusted" network, subnet 10.10.10.1/24
Network #2 - Optional network, subnet 10.0.2.1/24
Network #3 - Optional network, subnet 10.0.3.1/24

Network #2 contains several workstations in the museum's library that are used by the public to access the Internet and the webservers that are going to be on Network #3.  Network #3 will contain 2 web servers (not yet in use) that house the museum's library catalog and collections databases.

What I'm trying to figure out is how to enable routing between Network #1 and Network #3 so that I can open some ports from the internal, trusted network to the web servers for the purposes of management of the web applications running on those servers and updating data. The data on these two servers needs to be updated on a fairly regular basis. My goal is to be able to open the required ports internally only between Network #1 and Network #3 without exposing them to the Internet.  

I thought that this should be pretty simple by adding filters to specify opening the required ports between the Trusted Network and Optional Network #3. But rather than experimenting using the documentation I have and my own knowledge of routing, I thought I'd check here first to see if someone can give me some easy and direct method that they know will work, and/or confirm that I'm on the right track.
0
Comment
Question by:Hypercat (Deb)
11 Comments
 
LVL 3

Accepted Solution

by:
msincorp earned 167 total points
Comment Utility
Yes, you are on the right track.

First, the version 9 OS can be upgraded to Version 10.  During the upgrade all of the existing rules can be preserved and converted.  Also during the process, you will be prompted to save the configuration file before sending it to the fire box.  I would save it as a different name so that you have the original version 9 configuration in tact if you need to go back to version 9 for any reason.  Once you have converted to version 10, you can apply the patches, and then move on to version 11.

As far as the traffic segmentation, you are also correct.  All you need to do is create rules that allow the respective networks to "talk" to each other, and apply the filter to those rules.  The optional segments can have gateways set to allow them to access (or not) the internet and other resources on both the internal network segments and the internet.

Rules are easily created by making sure that the traffic between networks 1 and 3 are the only networks allowed within the rule, and then create a rule for each type of traffic (web, ftp).

Hope this helps.

msincorp

0
 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 333 total points
Comment Utility
I have little to add here.  msincorp is right and your points are all on target.  Create the interfaces, name them accordingly (for ease of administration) and create specific rules for traffic between them.  The box will easily handle the routing.

As for the upgrade, Im also with msincorp.  Definately do the upgrade.  The x550e will support it and there are many new features.  Just be carefull of two big gotcha's.   First, as msin mentioned, patch v9 to highest available level, go to 10, patch 10 to highest level, then go to latest level of 11.  If you dont skip any steps, all should be fine.  If you do, there will be conversion problems.   Be sure to review the release notes.  They're typically quick reads.  Second, your management station software is MUCH heavier on 11.  Make sure that you check hardware and OS requirements before upgrading.  These can be show-stoppers.   If you are not experienced on v11, lean on EE for that support.  It is worth it.  New web GUI, new web reporting, new application filters, just too much to mention.
 
By the way, make sure that their maintenance is current or that is a show stopper also.  v9 would run on expired maintenance.  v10+ will not.

Let us know if you need any more specifics but it sounds like you have a good handle on the basic process.  

Jon
0
 
LVL 38

Author Comment

by:Hypercat (Deb)
Comment Utility
Thanks to you both. I will be working on this next week and will get back and post additional questions and/or award points.

Happy Thanksgiving!
0
 
LVL 2

Expert Comment

by:kentern
Comment Utility
A little addition from my side (in addtition to the above recommended updates):

Be sure to configure your DNS properly when adding zones, specially if some of the hosts are not to be available from the outside but are on the same domain name as the external hosts. We've split our network into 5 zones, and had quite a lot of DNS problems in the beginning (internal hosts trying to look up the external address of an "optional-zone" host without an external address etc). Some planning and a few dns forwarders (if there's a dns in each zone) will help a lot.

Good luck!
0
 
LVL 38

Author Comment

by:Hypercat (Deb)
Comment Utility
Got everything configured and working with one exception - and it's a doozy, I think... Although I have a workaround in place, as you'll see in my explanation, I'd like to understand better why it works this way and if there is a way to fix it.

The problem I'm having is with routing between the three internal networks.  The objective is to have the Optional 1 network be able to browse to the website that is on the Optional 2 network, using the PUBLIC URL, as explained below.

The details again (some repeated):

Firebox: Public IP range is 173.x.x.74/29; assigned IP is 173.x.x.74. That doesn't make sense to me, but it seems to work and I didn't originally configure this box, so I've left it that way for now.
Trusted Network: 10.10.10.x/24
Optional 1: 10.0.2.x/24
Optional 2: 10.0.3.x/24
    1-to-1 NATed public IP: 173.x.x.75 ---> 10.0.3.2
Website URLs are
    Internal http://10.0.3.2:8080/website
    External http://museum.domain.org:8080/website

DNS/AD domain setup:
Firewall DNS servers: 10.10.10.3, ISP DNS server as secondary, 10.10.10.7
Trusted Network domain name: local.domain.org, DNS servers 10.10.10.3. and 10.10.10.7
Optional 1 is a workgroup, no server
Optional 2 domain name: public.domain.org, DNS server 10.0.3.2 (this is also the only machine on this network so far)
Public domain name: domain.org, hosted at Network Solutions which also provides public DNS zone

Rules are:

Allow TCP port 8080 from Any to 173.x.x.75
Allow TCP port 8080 from Any-Trusted or Any-Optional to 10.0.3.2 (this is the workaround part)

On the Optional 1 network, I can resolve the server name museum.domain.org to the correct public IP address. However, when I try to browse the website using that URL, http://museum.domain.org:8080/website, I get "cannot display the webpage" error. I can browse the website using the private IP address: http://10.0.3.2:8080/website. Also, of course, I can browse the website normally from any external host using the public URL.

Can anyone explain why I can't access the website using the external URL instead of the private IP address?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 6

Assisted Solution

by:Jon Snyderman
Jon Snyderman earned 333 total points
Comment Utility
You are using 1-to-1 NAT which works best in a one ifc-to-one ifc scenario.  You have public and trusted to optional.  This does seem logical, but can be confusing.  I never use 1-to-1 natting at the interface.  It is less flexible and can be problematic and confusing when it comes to policies.

Remove the 1-to-1 nat and change your first rule to "Allow TCP port 8080 from Any to (NATed 173.x.x.75 -> 10.0.3.2)".
Remove your second rull as it should not be needed as you suspected..

Hope that helps.

~Jon
0
 
LVL 6

Expert Comment

by:Jon Snyderman
Comment Utility
Sorry, one other note.  You may need to change your dynamic NAT rules from the default 10.10.10.x-Any-External to 10.10.10.x-Any or just add another dynamic NAT rule for 10.10.10.x-Any-Optional.  I am not sure if this will be needed or not.  Try it without first.

~Jon
0
 
LVL 38

Author Comment

by:Hypercat (Deb)
Comment Utility
Now I remember why I didn't do what you suggest, Jon, in the first place, which is how I would normally do it.  I tried that, but when I go to select the "Add NAT" option, it doesn't allow me to input a different external IP address.  The only options I have are 173.x.x.74 (the static public IP assigned to the firewall), External or Any-External. See screen capture.
Watchguard-NAT-rule.jpg
0
 
LVL 38

Author Comment

by:Hypercat (Deb)
Comment Utility
NEVER MIIINNNDD ;-\ I figured out what I was missing - I didn't realize I had to go in and add those IP addresses on the external configuration as additional addresses to be used on the external interface. I was thinking old-style subnet routing where you have the subnet mask defining the external address range and don't have to do anything more than that.
0
 
LVL 6

Expert Comment

by:Jon Snyderman
Comment Utility
Yep, good.  so its working now?

~Jon
0
 
LVL 38

Author Closing Comment

by:Hypercat (Deb)
Comment Utility
Everything's working perfectly now. That last little bit still mystifies me a little, but as long as it works, I'm happy. They've been trying to get this website up and running for over a year, so along with some SQL and web design consulting that we've done, my company is looking like heroes on this one!  Thanks and happy Experts Exchanging.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now