[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

How can I see the "Trusted Network" from the "Optional Network" in Firebox Edge

Posted on 2011-10-07
11
Medium Priority
?
1,300 Views
Last Modified: 2013-11-16
I have Firebox Edge X20e firewall.  I'm using the Optional port for my web server.  After reading a lot of posts, I created a 1 to 1 NAT for the secondary public IP to point to the web server.  The question I have now is that this web server will also need to be able to "see" one of my internal server in the Trusted Network using ports 9000, 9995 and 997.

I created a custom packet filter:
Incoming: allow
Policy Host: 1 to 1 NAT
From: Any

Outgoing: Allow
From: 172.16.x.x (this is the IP scheme for the Trusted Network)
To: 192.168.x.x (this is the IP scheme for the Optional Network)

On the web server, I need to install the web portion of the application and when I type in the 172.16.x.x address, it couldn't find it.

What else am I missing?  Would really appreciate any help!

Thanks!
0
Comment
Question by:gcannon
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 10

Assisted Solution

by:SuperTaco
SuperTaco earned 500 total points
ID: 36934609
You need to create a rule that allows access from the web sevrer IP to the interna lIP you want.
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 36936277
Which version of WG software are you running; if you are on version 10.x, then go to Firewall; to allow ALL network traffic from optional network to trusted select "Disable traffic filters" check box.

Please note this would allow all traffic.

If you are running version 11.x then you would create specific service. The direction from optional to trusted would be incoming; and from trusted to optional would be outgoing.
So you would have one incoming policy to have traffic from internet go to internal server on optional network; and then another from optional to trusted.

Please let know if you need more details.

Thank you.
0
 
LVL 1

Author Comment

by:gcannon
ID: 36937309
Thanks for the quick replies!

I'm running 10.2 of WG.  I did disable all traffic filter under Optional Network and didn't help me.  When I tried to install my app and pointed to the internal network IP, it couldn't find it.  When I check "Disable traffic filters", shouldn't I be able to get a ping response from the Trusted Network?  I'm also running Windows 2008 as the web server and disabled the firewall as a test to make sure that I'm not blocking anything on the server itself but that didn't help either.  What else am I missing?
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 36938805
Can you post sanitized screen shot of the firewall page; also, on your machines on optional/trusted network you do have default gateway as respective interface IP of the firewall and there is NO other default gateway.

If you use traceroute; do you get packet getting routed along correct path.

Please update.

Thank you.
0
 
LVL 1

Expert Comment

by:htam
ID: 36944282
1 to 1 NAT isn't correct like you exp^lain your case.

I would create on packet filter on webservice with a SNAT from external to your webserver
Mean   Any   to  XXX.XXX.EternalIP.XXX --> Trusted WebServerIP

And I woul creat a rules from optional web server IP to trusted for ports 9000, 9995 and 997.
Known interface are automaticly routed by WG

Hope it helps yoiu
0
 
LVL 1

Author Comment

by:gcannon
ID: 36972154
@ dpk_wal:  attaching firewall cfg.
@ htam: not really sure what you mean by creating rules.  When i go to the Optional Network, the only choice I have is whether to allow all traffic or certain packets.

Should also mention that I'm a novice on WatchGuard. My goal is to have my external user connect to the web server that's on the Optional Network (since that's where the application will be installed), and then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997).  I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT.

I really do appreciate all the comments.

Thanks!
WG.pdf
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 36972890
>> My goal is to have my external user connect to the web server that's on the Optional Network (since that's where the application will be installed)
For this you have configured 1-1 NAT which I see in the screenshots.

>> then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997)
As I posted earlier you CANNOT control the ports; you can either choose ALL traffic or NONE between optional and trusted. May be for simplicity you can move the SSL server to trusted network itself.

>> I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT
Have you configured 1-1 NAT and also secondary IP for the same public IP; is yes, then you can only use EITHER 1-1 NAT or secondary IP for static NAT; please remove one and check results.

Please also update on traceroute and default gateway details as I requested earlier.

Thank you.
0
 
LVL 1

Author Comment

by:gcannon
ID: 36976280

>> then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997)
As I posted earlier you CANNOT control the ports; you can either choose ALL traffic or NONE between optional and trusted. May be for simplicity you can move the SSL server to trusted network itself.

But I can accomplish this by allowing traffic from the Optional Network to the Trusted Network, correct?


>> I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT
Have you configured 1-1 NAT and also secondary IP for the same public IP; is yes, then you can only use EITHER 1-1 NAT or secondary IP for static NAT; please remove one and check results.

The public IP that I configured on the 1-1 NAT is the public IP that I will give my users.  That's the only one I have configured.

on your machines on optional/trusted network you do have default gateway as respective interface IP of the firewall and there is NO other default gateway.
Please also update on traceroute and default gateway details as I requested earlier.

I do have default gateway as respective int IP of the firewall and no other default gateway:
Optional Network IP: 192.168.112.10  GW: 192.168.112.1
Trusted Network IP: 172.16.1.10  GW: 172.16.1.254

Traceroute fails on 172.16.1.254



Thank you.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 36977572
To ensure that there is no server configuration issue; can you move your server to the trusted network and actually have IP assigned in 192.168.112.x subnet [if your server is dual or multi-homed; it is recommended to disable all but one network card]; also change the WG firewall forwarding rule and see if everything is working.
When above is verified, then we would move the server to 172.16.1.x subnet and troubleshoot further.

Please update.

Thank you.
0
 
LVL 1

Expert Comment

by:htam
ID: 36992388
1 to 1 NAT is  used to redirect all port from on IP to another IP.  If you make a SNAT rules, directly in rules, you can redirect one IP to different IP for each port ... so it is less restrective !  To do that, remove all 1 t o1 NAT and in each rule you want to do NAT, select to SNAT in "TO" destination in rule
0
 
LVL 1

Author Comment

by:gcannon
ID: 37065945
Thanks for everyone's help.  I finally got it to work.  I have reversed the outgoing rule on my custom packet filter.  It should be allow from web server IP to LAN IP.  Now my web server can "see" one of the servers in my LAN.

Thanks again for all the input and suggestions!  I learned a lot!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 14 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question