Solved

use FireBox logging with SBS 2003 network

Posted on 2012-03-09
8
491 Views
Last Modified: 2012-04-18
I'm working out a better configuration for the network in our office.

Currently, a Firebox x20e in mixed routing mode sits between the cable modem and the WAN port of the windows server. The server's LAN port connects to the office network; workstations printers and a few misc. Workers commonly connect to their desktops via RWW.

In particular, I want to take advantage of the Firebox's logging features. It is currently quite limited, as the LAN traffic is all NAT'd through the server, so there is only one IP source of internal traffic.

Will I need to modify the network so that the Firebox is the gateway? Is there some way of exposing the LAN to the firebox through the windows server?
0
Comment
Question by:SonicVoom
  • 4
  • 4
8 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
Comment Utility
It would be preferred to have firebox do NAT, either directly by making change on servers to send traffic to firebox.
Or you can configure your windows server to route traffic rather than NAT and then have firebox do NAT. In this case change on your network would be minimal. You would need to add a network route on your firebox.

Please note the firebox depending on model sometimes supports limited users; if so, please check that your current devices do not exceed the allowed user count [if applicable]; otherwise you would need to provision additional licenses. Having windows server do NAT, you only consume single user license, but then loose logging/reporting facilities on firebox.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
Comment Utility
The firebox's trusted network is currently 192.168.11.x. The NAT'd SBS network is 192.168.16.x. Either way that you suggest, I'll need these to be the same, correct?

If I'm understanding this correctly, I'll change the Firebox trusted network to 192.168.16.x.  Would I need to make a subnet (to be assigned by the SBS DHCP) so I can create the route to the ID of that subnet (which would be set to the SBS WAN nic)?
0
 
LVL 2

Author Comment

by:SonicVoom
Comment Utility
I did some reading and I understand more now. I need to disable NAT on SBS server, and create a route on Firebox from 192.168.11.6 (SBS WAN IP) to 192.168.16.0/24.

Is that all? Could it really be so simple?

I tested this by adding another router to the network as 192.168.11.9 and set a route of 192.168.11.9 to 192.168.5.0/24, and the two IP's behind it are showing in the Firebox logs.

So I've proven my concept, but I'd like to know... what I don't know.

Thanks
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Yes you need to disabled NAT on SBS and add a route on your firebox and you would be done.

Other thing as you mentioned, if you wish, can configure WG on IP subnet 192.168.16.x but then you would additionally need to change default gateway on your machine to WG internal IP for best results.

Please let know if you need more details.

Thank you.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 2

Author Comment

by:SonicVoom
Comment Utility
If I create the route to 192.168.16.0/24 at gateway 192.168.11.6 before disabling NAT on 192.168.11.6, is there any reason why traffic could be interrupted? Nothing on the 192.168.11.x network will be attempting to communicate with the 192.168.16.x network yet, so no packets would be directed along that route. But what would happen if some were? I assume the packets would simply be dropped?

Is there any way that I could route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
If you add route and your SBS still does NAT there would be NO harm.
Even if somehow WG receives packet from 16.x network it would do necessary NAT [as needed] and finally forward them to your SBS. Here, if your SBS drops or forwards the packet, need to be seen and I cannot comment.

>> route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
Route packets to which destination; and which device does NAT for all other traffic; what is this all other traffic. Provide more details so I can answer this question.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
Comment Utility
I mean, could I keep NAT active on the server, but allow a single IP address on the 11.x network (outside of the lan/server) access through the server (to the 16.x network) as though NAT were disabled?
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
As the 16.x network is behind SBS, none of the devices on 11.x network has knowledge that NAT exists. For them SBS is sending traffic to different host on 11.x subnet or to outside world.
If you wish any device on 11.x to connect to any other machine on 16.x network, you would need to configure destination NAT on SBS. Using 11.x IP of SBS or any other free IP on 11.x subnet, any other machine on 11.x subnet would send packet; SBS would do NAT and further send the packet to correct machine on 16.x network.

Thank you.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now