Solved

use FireBox logging with SBS 2003 network

Posted on 2012-03-09
8
497 Views
Last Modified: 2012-04-18
I'm working out a better configuration for the network in our office.

Currently, a Firebox x20e in mixed routing mode sits between the cable modem and the WAN port of the windows server. The server's LAN port connects to the office network; workstations printers and a few misc. Workers commonly connect to their desktops via RWW.

In particular, I want to take advantage of the Firebox's logging features. It is currently quite limited, as the LAN traffic is all NAT'd through the server, so there is only one IP source of internal traffic.

Will I need to modify the network so that the Firebox is the gateway? Is there some way of exposing the LAN to the firebox through the windows server?
0
Comment
Question by:SonicVoom
  • 4
  • 4
8 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 37706015
It would be preferred to have firebox do NAT, either directly by making change on servers to send traffic to firebox.
Or you can configure your windows server to route traffic rather than NAT and then have firebox do NAT. In this case change on your network would be minimal. You would need to add a network route on your firebox.

Please note the firebox depending on model sometimes supports limited users; if so, please check that your current devices do not exceed the allowed user count [if applicable]; otherwise you would need to provision additional licenses. Having windows server do NAT, you only consume single user license, but then loose logging/reporting facilities on firebox.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37712148
The firebox's trusted network is currently 192.168.11.x. The NAT'd SBS network is 192.168.16.x. Either way that you suggest, I'll need these to be the same, correct?

If I'm understanding this correctly, I'll change the Firebox trusted network to 192.168.16.x.  Would I need to make a subnet (to be assigned by the SBS DHCP) so I can create the route to the ID of that subnet (which would be set to the SBS WAN nic)?
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37712492
I did some reading and I understand more now. I need to disable NAT on SBS server, and create a route on Firebox from 192.168.11.6 (SBS WAN IP) to 192.168.16.0/24.

Is that all? Could it really be so simple?

I tested this by adding another router to the network as 192.168.11.9 and set a route of 192.168.11.9 to 192.168.5.0/24, and the two IP's behind it are showing in the Firebox logs.

So I've proven my concept, but I'd like to know... what I don't know.

Thanks
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 37712947
Yes you need to disabled NAT on SBS and add a route on your firebox and you would be done.

Other thing as you mentioned, if you wish, can configure WG on IP subnet 192.168.16.x but then you would additionally need to change default gateway on your machine to WG internal IP for best results.

Please let know if you need more details.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37727107
If I create the route to 192.168.16.0/24 at gateway 192.168.11.6 before disabling NAT on 192.168.11.6, is there any reason why traffic could be interrupted? Nothing on the 192.168.11.x network will be attempting to communicate with the 192.168.16.x network yet, so no packets would be directed along that route. But what would happen if some were? I assume the packets would simply be dropped?

Is there any way that I could route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37732459
If you add route and your SBS still does NAT there would be NO harm.
Even if somehow WG receives packet from 16.x network it would do necessary NAT [as needed] and finally forward them to your SBS. Here, if your SBS drops or forwards the packet, need to be seen and I cannot comment.

>> route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
Route packets to which destination; and which device does NAT for all other traffic; what is this all other traffic. Provide more details so I can answer this question.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37739865
I mean, could I keep NAT active on the server, but allow a single IP address on the 11.x network (outside of the lan/server) access through the server (to the 16.x network) as though NAT were disabled?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37740523
As the 16.x network is behind SBS, none of the devices on 11.x network has knowledge that NAT exists. For them SBS is sending traffic to different host on 11.x subnet or to outside world.
If you wish any device on 11.x to connect to any other machine on 16.x network, you would need to configure destination NAT on SBS. Using 11.x IP of SBS or any other free IP on 11.x subnet, any other machine on 11.x subnet would send packet; SBS would do NAT and further send the packet to correct machine on 16.x network.

Thank you.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5512 LAN Config 16 79
Setting up a VPN 60 184
Remote Desktop Support Tools Like "Go to MY PC", etc 10 51
adjusting startup config 6 26
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
An article on effective troubleshooting
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question