Solved

Using multiple public IP addresses on WatchGuard Firebox X Edge firewall.

Posted on 2011-09-07
11
5,434 Views
Last Modified: 2012-05-12
We have a block of 5 IP addresses that we would like to use on our Firebox X Edge firewall.  Everything has been working great using one IP address set statically on the External Network interface of the firewall, however we recently added a server and would like to assign another one of our static IP addresses to it.  I have tried using the NAT section to create a 1:1 NAT to the internal IP address of the new server, but when I do this I am unable to access the Internet from any device behind the firewall.  This continues until I uncheck the "Enable secondary IP addresses" box on the NAT screen.  Once unchecked, after about 2 minutes I am able to reconnect to the internet.  

What am I doing wrong?  From all the manuals I have read, it should be as simple as enabling the secondary IP address and then creating an inbound rule to the 1:1 NAT rule.  Any help is greatly appreciated.

Thank you
0
Comment
Question by:DataDudes
  • 6
  • 4
11 Comments
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36496437
The 1:1 NAT should work for you. Here's a good guide

http://www.watchguard.com/infocenter/editorial/135177.asp

If Enable Dynamic NAT is checked, leave this setting alone, since it is the default NAT policy for all hosts behind your firewall.)
0
 
LVL 2

Author Comment

by:DataDudes
ID: 36498042
Thanks for the information.  The guide mentions "Dynamic NAT Exceptions" that need to be created, but I don't see an option for that anywhere on my Firebox.
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36498092
0
 
LVL 2

Author Comment

by:DataDudes
ID: 36498194
Her is a screenshot of the only NAT section I have on my firewall NAT
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36498695
Does your wizard walk you though adding ips?
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 29

Expert Comment

by:Randy Downs
ID: 36498753
0
 
LVL 2

Author Comment

by:DataDudes
ID: 36499255
The wizard doesn't seem to have anything useful regarding adding IPs.  I went through that guide step by step and it still causes everything to lose Internet connection until the secondary ip addresses box is disabled.
0
 
LVL 29

Accepted Solution

by:
Randy Downs earned 500 total points
ID: 36499312
OK, I assume that you meet the requires at the begiining of that article.

Did you  Add a policy for 1-to-1 NAT ?


When you configure a secondary IP addresses on the external network:

¦The primary IP address must be a static IP address.
¦All secondary IP addresses must be on the same external subnet as the primary IP address.
¦You cannot configure multiple IP addresses for the WAN2 failover interface. The WAN2 interface is reserved for WAN failover. Your failover IP address must be on a different subnet.

Three steps are necessary to enable 1-to-1 NAT:

1.Add at least one secondary external IP address to the Firebox.
2.Enable the secondary IP address(es) on the Firebox.
3.Configure a custom policy for 1-to-1 NAT.


Step 3 — Add or edit a policy for 1-to-1 NAT

You can use an existing policy or you can add a custom policy that defines the kinds of network traffic that can be sent or received by the device that uses the secondary external IP address.

2.From the navigation bar, select Firewall > Incoming.
The Filter Incoming Traffic page appears

3.Find an existing policy you want to change and click Edit adjacent to that policy.
The Edit Policy page for the selected policy appears.
Or,

To add a custom packet filter or proxy policy, click Add Packet Filter Policy or Add Proxy Policy.
The Add Policy - Custom Policy page appears.

4.Make sure the Incoming tab is selected.
5.From the Incoming Filter drop-down list, select Allow or Deny to set the policy action.
6.From the Policy Host drop-down lists, select 1-to-1 NAT and the secondary external IP address pair you want to associate with the policy .

7.If this is an existing policy, click Submit.
If this is a new custom packet filter or proxy policy, use the instructions in Filter incoming traffic for a custom policy or Add or Edit a Proxy Policy to configure the other settings.



0
 
LVL 2

Author Comment

by:DataDudes
ID: 36499475
I have made sure that a custom packet filter for inbound connections and that all outbound connections are allowed.  I've attached the configuration file from our FireBox in hopes to shed some light on the situation.
Firebox.txt
0
 
LVL 14

Expert Comment

by:setasoujiro
ID: 36500863
as Number-1 said, you should edit your external iface. There you can add secondary ip's
then when  these are added you can just make a policy that says
from "any-external" to "add nat"

then make a nat in THAT wizard that says publicip-->serverIP

do it all the time and works
0
 
LVL 29

Expert Comment

by:Randy Downs
ID: 36502647
This may not have anything to do with your problem but you typically want to exclude some ips from DHCP for your servers, printers & such. Maybe start DHCP at 192.168.1.10 and assign aforementioned to these static internal ips.

networking.dhcpd.firstip: 192.168.1.2
networking.dhcpd.lastip: 192.168.1.254

Try setasoujiro's tip above. I think that will make the following changes.

networking.ethernet.00.secondary_ip.enable: 1
networking.ethernet.00.secondary_ip.list: xxx.xxx.xxx.xxx (your additional ip)


networking.ethernet.00: eth0 XX.XX.XX.9 XX.XX.XX.8 255.255.255.248 XX.XX.XX.14
networking.ethernet.00.check.enable: 0
networking.ethernet.00.dns.0: 68.87.77.130
networking.ethernet.00.linkspeed: 0
networking.ethernet.00.mac.enable: 0
networking.ethernet.00.mtu: 1500
networking.ethernet.00.nat.list:
networking.ethernet.00.rank: 50

networking.ethernet.00.secondary_ip.enable: 0
networking.ethernet.00.secondary_ip.list:

networking.ethernet.00.vlan: 0
networking.ethernet.00.vlan.enable: 0

networking.ethernet.01: eth1 192.168.1.1 192.168.1.0 255.255.255.0 192.168.1.1
networking.ethernet.01.acl.enable: 0
networking.ethernet.01.acl.list: 00:12:12:12:12:12
networking.ethernet.01.acl.log.deny: 0
networking.ethernet.01.acl.nblookup: 0
networking.ethernet.01.mtu: 1500
networking.ethernet.01.vlan: 0
networking.ethernet.01.vlan.enable: 0

networking.ethernet.02: eth2 192.168.112.1 192.168.112.0 255.255.255.0 192.168.112.1
networking.ethernet.03: eth3 0.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
networking.ethernet.03.check.enable: 0
networking.ethernet.03.vlan: 0
networking.ethernet.03.vlan.enable: 0

networking.ethernet.04: eth4 0.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0

networking.wireless.00.authtype: 2
networking.wireless.00.check.enable: 0
networking.wireless.00.eapol_version: 1
networking.wireless.00.enable: 0
networking.wireless.00.enctype: 5
networking.wireless.00.key: 1
networking.wireless.00.key1: 9fd32e992c0f0d88
networking.wireless.00.keytype: 1
networking.wireless.00.ssid: WIRELESS_0d078
networking.wireless.00.wpa_version: 1
networking.wireless.01: ath1 0.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
networking.wireless.01.acl.enable: 0
networking.wireless.02: ath2 0.0.0.0 0.0.0.0 255.255.255.0 0.0.0.0
networking.wireless.06: ath6 192.168.113.1 192.168.113.0 255.255.255.0 192.168.113.1
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now