Link to home
Start Free TrialLog in
Avatar of gcannon
gcannon

asked on

How can I see the "Trusted Network" from the "Optional Network" in Firebox Edge

I have Firebox Edge X20e firewall.  I'm using the Optional port for my web server.  After reading a lot of posts, I created a 1 to 1 NAT for the secondary public IP to point to the web server.  The question I have now is that this web server will also need to be able to "see" one of my internal server in the Trusted Network using ports 9000, 9995 and 997.

I created a custom packet filter:
Incoming: allow
Policy Host: 1 to 1 NAT
From: Any

Outgoing: Allow
From: 172.16.x.x (this is the IP scheme for the Trusted Network)
To: 192.168.x.x (this is the IP scheme for the Optional Network)

On the web server, I need to install the web portion of the application and when I type in the 172.16.x.x address, it couldn't find it.

What else am I missing?  Would really appreciate any help!

Thanks!
SOLUTION
Avatar of SuperTaco
SuperTaco

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of dpk_wal
dpk_wal
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of gcannon
gcannon

ASKER

Thanks for the quick replies!

I'm running 10.2 of WG.  I did disable all traffic filter under Optional Network and didn't help me.  When I tried to install my app and pointed to the internal network IP, it couldn't find it.  When I check "Disable traffic filters", shouldn't I be able to get a ping response from the Trusted Network?  I'm also running Windows 2008 as the web server and disabled the firewall as a test to make sure that I'm not blocking anything on the server itself but that didn't help either.  What else am I missing?
Can you post sanitized screen shot of the firewall page; also, on your machines on optional/trusted network you do have default gateway as respective interface IP of the firewall and there is NO other default gateway.

If you use traceroute; do you get packet getting routed along correct path.

Please update.

Thank you.
1 to 1 NAT isn't correct like you exp^lain your case.

I would create on packet filter on webservice with a SNAT from external to your webserver
Mean   Any   to  XXX.XXX.EternalIP.XXX --> Trusted WebServerIP

And I woul creat a rules from optional web server IP to trusted for ports 9000, 9995 and 997.
Known interface are automaticly routed by WG

Hope it helps yoiu
Avatar of gcannon

ASKER

@ dpk_wal:  attaching firewall cfg.
@ htam: not really sure what you mean by creating rules.  When i go to the Optional Network, the only choice I have is whether to allow all traffic or certain packets.

Should also mention that I'm a novice on WatchGuard. My goal is to have my external user connect to the web server that's on the Optional Network (since that's where the application will be installed), and then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997).  I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT.

I really do appreciate all the comments.

Thanks!
WG.pdf
>> My goal is to have my external user connect to the web server that's on the Optional Network (since that's where the application will be installed)
For this you have configured 1-1 NAT which I see in the screenshots.

>> then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997)
As I posted earlier you CANNOT control the ports; you can either choose ALL traffic or NONE between optional and trusted. May be for simplicity you can move the SSL server to trusted network itself.

>> I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT
Have you configured 1-1 NAT and also secondary IP for the same public IP; is yes, then you can only use EITHER 1-1 NAT or secondary IP for static NAT; please remove one and check results.

Please also update on traceroute and default gateway details as I requested earlier.

Thank you.
Avatar of gcannon

ASKER


>> then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997)
As I posted earlier you CANNOT control the ports; you can either choose ALL traffic or NONE between optional and trusted. May be for simplicity you can move the SSL server to trusted network itself.

But I can accomplish this by allowing traffic from the Optional Network to the Trusted Network, correct?


>> I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT
Have you configured 1-1 NAT and also secondary IP for the same public IP; is yes, then you can only use EITHER 1-1 NAT or secondary IP for static NAT; please remove one and check results.

The public IP that I configured on the 1-1 NAT is the public IP that I will give my users.  That's the only one I have configured.

on your machines on optional/trusted network you do have default gateway as respective interface IP of the firewall and there is NO other default gateway.
Please also update on traceroute and default gateway details as I requested earlier.

I do have default gateway as respective int IP of the firewall and no other default gateway:
Optional Network IP: 192.168.112.10  GW: 192.168.112.1
Trusted Network IP: 172.16.1.10  GW: 172.16.1.254

Traceroute fails on 172.16.1.254



Thank you.
To ensure that there is no server configuration issue; can you move your server to the trusted network and actually have IP assigned in 192.168.112.x subnet [if your server is dual or multi-homed; it is recommended to disable all but one network card]; also change the WG firewall forwarding rule and see if everything is working.
When above is verified, then we would move the server to 172.16.1.x subnet and troubleshoot further.

Please update.

Thank you.
1 to 1 NAT is  used to redirect all port from on IP to another IP.  If you make a SNAT rules, directly in rules, you can redirect one IP to different IP for each port ... so it is less restrective !  To do that, remove all 1 t o1 NAT and in each rule you want to do NAT, select to SNAT in "TO" destination in rule
Avatar of gcannon

ASKER

Thanks for everyone's help.  I finally got it to work.  I have reversed the outgoing rule on my custom packet filter.  It should be allow from web server IP to LAN IP.  Now my web server can "see" one of the servers in my LAN.

Thanks again for all the input and suggestions!  I learned a lot!