use FireBox logging with SBS 2003 network

I'm working out a better configuration for the network in our office.

Currently, a Firebox x20e in mixed routing mode sits between the cable modem and the WAN port of the windows server. The server's LAN port connects to the office network; workstations printers and a few misc. Workers commonly connect to their desktops via RWW.

In particular, I want to take advantage of the Firebox's logging features. It is currently quite limited, as the LAN traffic is all NAT'd through the server, so there is only one IP source of internal traffic.

Will I need to modify the network so that the Firebox is the gateway? Is there some way of exposing the LAN to the firebox through the windows server?
LVL 2
SonicVoomAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dpk_walCommented:
It would be preferred to have firebox do NAT, either directly by making change on servers to send traffic to firebox.
Or you can configure your windows server to route traffic rather than NAT and then have firebox do NAT. In this case change on your network would be minimal. You would need to add a network route on your firebox.

Please note the firebox depending on model sometimes supports limited users; if so, please check that your current devices do not exceed the allowed user count [if applicable]; otherwise you would need to provision additional licenses. Having windows server do NAT, you only consume single user license, but then loose logging/reporting facilities on firebox.

Thank you.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SonicVoomAuthor Commented:
The firebox's trusted network is currently 192.168.11.x. The NAT'd SBS network is 192.168.16.x. Either way that you suggest, I'll need these to be the same, correct?

If I'm understanding this correctly, I'll change the Firebox trusted network to 192.168.16.x.  Would I need to make a subnet (to be assigned by the SBS DHCP) so I can create the route to the ID of that subnet (which would be set to the SBS WAN nic)?
0
SonicVoomAuthor Commented:
I did some reading and I understand more now. I need to disable NAT on SBS server, and create a route on Firebox from 192.168.11.6 (SBS WAN IP) to 192.168.16.0/24.

Is that all? Could it really be so simple?

I tested this by adding another router to the network as 192.168.11.9 and set a route of 192.168.11.9 to 192.168.5.0/24, and the two IP's behind it are showing in the Firebox logs.

So I've proven my concept, but I'd like to know... what I don't know.

Thanks
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

dpk_walCommented:
Yes you need to disabled NAT on SBS and add a route on your firebox and you would be done.

Other thing as you mentioned, if you wish, can configure WG on IP subnet 192.168.16.x but then you would additionally need to change default gateway on your machine to WG internal IP for best results.

Please let know if you need more details.

Thank you.
0
SonicVoomAuthor Commented:
If I create the route to 192.168.16.0/24 at gateway 192.168.11.6 before disabling NAT on 192.168.11.6, is there any reason why traffic could be interrupted? Nothing on the 192.168.11.x network will be attempting to communicate with the 192.168.16.x network yet, so no packets would be directed along that route. But what would happen if some were? I assume the packets would simply be dropped?

Is there any way that I could route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
0
dpk_walCommented:
If you add route and your SBS still does NAT there would be NO harm.
Even if somehow WG receives packet from 16.x network it would do necessary NAT [as needed] and finally forward them to your SBS. Here, if your SBS drops or forwards the packet, need to be seen and I cannot comment.

>> route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
Route packets to which destination; and which device does NAT for all other traffic; what is this all other traffic. Provide more details so I can answer this question.

Thank you.
0
SonicVoomAuthor Commented:
I mean, could I keep NAT active on the server, but allow a single IP address on the 11.x network (outside of the lan/server) access through the server (to the 16.x network) as though NAT were disabled?
0
dpk_walCommented:
As the 16.x network is behind SBS, none of the devices on 11.x network has knowledge that NAT exists. For them SBS is sending traffic to different host on 11.x subnet or to outside world.
If you wish any device on 11.x to connect to any other machine on 16.x network, you would need to configure destination NAT on SBS. Using 11.x IP of SBS or any other free IP on 11.x subnet, any other machine on 11.x subnet would send packet; SBS would do NAT and further send the packet to correct machine on 16.x network.

Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.