How can I see the "Trusted Network" from the "Optional Network" in Firebox Edge

I have Firebox Edge X20e firewall.  I'm using the Optional port for my web server.  After reading a lot of posts, I created a 1 to 1 NAT for the secondary public IP to point to the web server.  The question I have now is that this web server will also need to be able to "see" one of my internal server in the Trusted Network using ports 9000, 9995 and 997.

I created a custom packet filter:
Incoming: allow
Policy Host: 1 to 1 NAT
From: Any

Outgoing: Allow
From: 172.16.x.x (this is the IP scheme for the Trusted Network)
To: 192.168.x.x (this is the IP scheme for the Optional Network)

On the web server, I need to install the web portion of the application and when I type in the 172.16.x.x address, it couldn't find it.

What else am I missing?  Would really appreciate any help!

Thanks!
LVL 1
gcannonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SuperTacoCommented:
You need to create a rule that allows access from the web sevrer IP to the interna lIP you want.
0
dpk_walCommented:
Which version of WG software are you running; if you are on version 10.x, then go to Firewall; to allow ALL network traffic from optional network to trusted select "Disable traffic filters" check box.

Please note this would allow all traffic.

If you are running version 11.x then you would create specific service. The direction from optional to trusted would be incoming; and from trusted to optional would be outgoing.
So you would have one incoming policy to have traffic from internet go to internal server on optional network; and then another from optional to trusted.

Please let know if you need more details.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gcannonAuthor Commented:
Thanks for the quick replies!

I'm running 10.2 of WG.  I did disable all traffic filter under Optional Network and didn't help me.  When I tried to install my app and pointed to the internal network IP, it couldn't find it.  When I check "Disable traffic filters", shouldn't I be able to get a ping response from the Trusted Network?  I'm also running Windows 2008 as the web server and disabled the firewall as a test to make sure that I'm not blocking anything on the server itself but that didn't help either.  What else am I missing?
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

dpk_walCommented:
Can you post sanitized screen shot of the firewall page; also, on your machines on optional/trusted network you do have default gateway as respective interface IP of the firewall and there is NO other default gateway.

If you use traceroute; do you get packet getting routed along correct path.

Please update.

Thank you.
0
htamCommented:
1 to 1 NAT isn't correct like you exp^lain your case.

I would create on packet filter on webservice with a SNAT from external to your webserver
Mean   Any   to  XXX.XXX.EternalIP.XXX --> Trusted WebServerIP

And I woul creat a rules from optional web server IP to trusted for ports 9000, 9995 and 997.
Known interface are automaticly routed by WG

Hope it helps yoiu
0
gcannonAuthor Commented:
@ dpk_wal:  attaching firewall cfg.
@ htam: not really sure what you mean by creating rules.  When i go to the Optional Network, the only choice I have is whether to allow all traffic or certain packets.

Should also mention that I'm a novice on WatchGuard. My goal is to have my external user connect to the web server that's on the Optional Network (since that's where the application will be installed), and then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997).  I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT.

I really do appreciate all the comments.

Thanks!
WG.pdf
0
dpk_walCommented:
>> My goal is to have my external user connect to the web server that's on the Optional Network (since that's where the application will be installed)
For this you have configured 1-1 NAT which I see in the screenshots.

>> then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997)
As I posted earlier you CANNOT control the ports; you can either choose ALL traffic or NONE between optional and trusted. May be for simplicity you can move the SSL server to trusted network itself.

>> I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT
Have you configured 1-1 NAT and also secondary IP for the same public IP; is yes, then you can only use EITHER 1-1 NAT or secondary IP for static NAT; please remove one and check results.

Please also update on traceroute and default gateway details as I requested earlier.

Thank you.
0
gcannonAuthor Commented:

>> then the web server should be able to "talk" or "see" or "connect" to my internal network via specific ports (9000,9995, 997)
As I posted earlier you CANNOT control the ports; you can either choose ALL traffic or NONE between optional and trusted. May be for simplicity you can move the SSL server to trusted network itself.

But I can accomplish this by allowing traffic from the Optional Network to the Trusted Network, correct?


>> I have another public IP address that I will give them and that public IP is setup as a secondary IP on WatchGuard via 1to1 NAT
Have you configured 1-1 NAT and also secondary IP for the same public IP; is yes, then you can only use EITHER 1-1 NAT or secondary IP for static NAT; please remove one and check results.

The public IP that I configured on the 1-1 NAT is the public IP that I will give my users.  That's the only one I have configured.

on your machines on optional/trusted network you do have default gateway as respective interface IP of the firewall and there is NO other default gateway.
Please also update on traceroute and default gateway details as I requested earlier.

I do have default gateway as respective int IP of the firewall and no other default gateway:
Optional Network IP: 192.168.112.10  GW: 192.168.112.1
Trusted Network IP: 172.16.1.10  GW: 172.16.1.254

Traceroute fails on 172.16.1.254



Thank you.
0
dpk_walCommented:
To ensure that there is no server configuration issue; can you move your server to the trusted network and actually have IP assigned in 192.168.112.x subnet [if your server is dual or multi-homed; it is recommended to disable all but one network card]; also change the WG firewall forwarding rule and see if everything is working.
When above is verified, then we would move the server to 172.16.1.x subnet and troubleshoot further.

Please update.

Thank you.
0
htamCommented:
1 to 1 NAT is  used to redirect all port from on IP to another IP.  If you make a SNAT rules, directly in rules, you can redirect one IP to different IP for each port ... so it is less restrective !  To do that, remove all 1 t o1 NAT and in each rule you want to do NAT, select to SNAT in "TO" destination in rule
0
gcannonAuthor Commented:
Thanks for everyone's help.  I finally got it to work.  I have reversed the outgoing rule on my custom packet filter.  It should be allow from web server IP to LAN IP.  Now my web server can "see" one of the servers in my LAN.

Thanks again for all the input and suggestions!  I learned a lot!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.