Watchguard XTM 21 One to One Nat map kills internet connection on target

I'm having trouble setting up my watchguard xtm 21 with one to one nat. I've read all the manuals on the site and in the kb, and I think I've set it up correctly, but may be missing a policy. Once I set up the 1-1 nat, the server loses connectivity to the internet.

I have a block of statics from my ISP. I added the additional IPs in network -> configuration -> external -> secondary.

Then went to network -> nat -> 1-to-1 NAT -> single ip -> interface external, nat base the external static ip, real base the internal ip address.

Save the config file, and the server loses internet. Remove the 1 to 1 mapping and it gets internet back.

I think I'm missing a policy that allows internet traffic - but the manual is sketchy about this - and I'm new to watchguard... any help is appreciated.

Happy New Year and thanks in advance.
LVL 3
davewag77Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
There should only be one entry either under interface secondary network used for static NAT or one under 1-1 NAT.

Please remove the public IP entry from secondary and have the entry under 1-1 NAT as you have configured; check and update.

Thank you.
0
davewag77Author Commented:
Ok, I took the additional IPs out from the secondary on the interface, still no internet connection on the one to one nat computer.  The one to one nat was set up like this:

single IP
interface: external
nat base: the external static ip
real base: the internal ip address

Is there anything else I'd have to do to get it to work? Create a policy?
0
lruiz52Commented:
Can you post the ip settings of the server, "ipconfig /all".

Also what policies do you have active on you watchguard?

Try creating an http-out rule:
allowed from: any to: any-external


0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

davewag77Author Commented:
The ip settings of the server are just the local IP, mildly sanitized ipconfig below.

The watchguard is new out of the box, default policies only. No luck with a http-out rule from any to any-external, still no internet connection.

Mildly sanitized ipconfig /all:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ********
   Primary Dns Suffix  . . . . . . . : *******.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . :*******.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : **-**-**-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.1.17
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.1
   DHCP Server . . . . . . . . . . . : 10.10.1.1
   DNS Servers . . . . . . . . . . . : 10.10.1.20
                                       4.2.2.3
   NetBIOS over Tcpip. . . . . . . . : Enabled
0
lruiz52Commented:
On your primary dns(10.10.1.1) do you have a forwarder to you ISP's DNA or an external address like googles dns servers(8.8.8.8 and 8.8.4.4)

As a test remove the 10.10.1.1 from servers dns setting, may be internal dns causing issues.
0
davewag77Author Commented:
10.10.1.1 is the gateway
10.10.1.20 is the internal name server
 
I removed the internal DNS and am just using 4.2.2.2, 4.2.2.3:

The second I add the 1-1 nat the internet cuts out. Remove it, internet is back up.
0
lruiz52Commented:
Can you post or attach your config.xml?
0
davewag77Author Commented:
0
lruiz52Commented:

Can't access it,
0
davewag77Author Commented:
I was a little reluctant to post it here with my ip info, etc, but I guess the google docs didn't work...
0
davewag77Author Commented:
Lets see if I can upload it this time...
XTM21.xml
0
lruiz52Commented:
Ok on your DNS Rule change it from
from: any-Trusted  to:Any-External

to

from any to any-external

see if that helps.
0
davewag77Author Commented:
thanks lruiz, made the change in the DNS rule, but still no internet access.
0
lruiz52Commented:
also you can remove rule 7.

on the server can you ping 4.2.2.3. is you cant get access sound like dns issue.

is you are able to ping that you are able to get to internet, but having Name resolution issues.
0
davewag77Author Commented:
The ping does not get out - "request timed out"

The static IPs do work, if I plug a laptop in to the line from verizon and set it with the static IP, I get internet.
0
lruiz52Commented:
is the buiilt in firewall on the server turned off?
0
davewag77Author Commented:
its running win 2k8 r2, and yes, windows firewall is on but the appropriate ports are open (as is ping), and had worked prior to upgrading to the watchguard.
0
lruiz52Commented:
after your making the changes, you are saving the configuration to  the firebox?
0
davewag77Author Commented:
When using the Watchguard system manager, yes, but I've been mostly using the web ui as this is my first time with this hardware.

I do have a live support subscription, but only the 8x5, so I'm without watchguard's help until tomorrow AM.
0
lruiz52Commented:
have you checked the firewall logs?

when it stops working, can you still ping the firebox?

can you do a tracert to www.msn.com and see what the last hop is?

do an nslookup and see if you could still resolve names?

0
davewag77Author Commented:
The firebox is still accessible, and I can ping it.

Tracert:
Tracing route to us.col.cb3.glbdns.microsoft.com [70.37.131.153] over a maximum of 30 hops:
1      1ms      1ms    <1ms    10.10.1.1
2       *           *          *           Request timed out.
3       *           *          *           Request timed out.
4       *           *          *           Request timed out.
5       *           *          *           Request timed out.
6       *           *          *           Request timed out.
7       *           *          *           Request timed out.
8       *           *          *           Request timed out.

nslookup:

DNS request timed out.
        timeout was 2 seconds.
Default Server: UnKnown
Address:   4.2.2.2

Nothing in the traffic monitor with either the public ip or internal ip.
0
lruiz52Commented:
Have you tried restarting the firebox?
0
davewag77Author Commented:
no luck with the reset. Who should I call first, verizon or watchguard?
0
davewag77Author Commented:
Went into the traffic monitor and happened to notice this, not sure if it may be related:

2012-01-01 18:59:33 Deny 10.10.1.50 4.2.2.3 dns/udp 60390 53 4-Trusted GigE Internal 5-External .211 ddos client quota 57 127 (Internal Policy)  proc_id="firewall" rc="101"       Traffic
2012-01-01 18:59:33 Deny 10.10.1.50 4.2.2.3 dns/udp 59387 53 4-Trusted GigE Internal 5-External .211 ddos client quota 57 127 (Internal Policy)  proc_id="firewall" rc="101"       Traffic
0
lruiz52Commented:
Call watchguard, your 1-1 nat is ok, your policies seem fine except for #7. Weird issue.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
davewag77Author Commented:
Deleted #7.

Thanks for all your help lruiz, I'll let you know what Watchguard says.
0
lruiz52Commented:
One thing I forgot to ask was are you setting up a one to one for a specific service. You could try setting up a static nat from within the specified service.
0
dpk_walCommented:
Can you check with your ISP once that indeed have the routes in place to send back traffic to you when you are using the said public IP.

Thank you.
0
davewag77Author Commented:
Helpful, but unable to resolve issue. Chose this as the solution as his comment to call the manufacturer for support was the most helpful, they were able to resolve the issue by remoting in to my xtm 21.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.