use FireBox logging with SBS 2003 network

I'm working out a better configuration for the network in our office.

Currently, a Firebox x20e in mixed routing mode sits between the cable modem and the WAN port of the windows server. The server's LAN port connects to the office network; workstations printers and a few misc. Workers commonly connect to their desktops via RWW.

In particular, I want to take advantage of the Firebox's logging features. It is currently quite limited, as the LAN traffic is all NAT'd through the server, so there is only one IP source of internal traffic.

Will I need to modify the network so that the Firebox is the gateway? Is there some way of exposing the LAN to the firebox through the windows server?
LVL 2
SonicVoomAsked:
Who is Participating?
 
dpk_walConnect With a Mentor Commented:
It would be preferred to have firebox do NAT, either directly by making change on servers to send traffic to firebox.
Or you can configure your windows server to route traffic rather than NAT and then have firebox do NAT. In this case change on your network would be minimal. You would need to add a network route on your firebox.

Please note the firebox depending on model sometimes supports limited users; if so, please check that your current devices do not exceed the allowed user count [if applicable]; otherwise you would need to provision additional licenses. Having windows server do NAT, you only consume single user license, but then loose logging/reporting facilities on firebox.

Thank you.
0
 
SonicVoomAuthor Commented:
The firebox's trusted network is currently 192.168.11.x. The NAT'd SBS network is 192.168.16.x. Either way that you suggest, I'll need these to be the same, correct?

If I'm understanding this correctly, I'll change the Firebox trusted network to 192.168.16.x.  Would I need to make a subnet (to be assigned by the SBS DHCP) so I can create the route to the ID of that subnet (which would be set to the SBS WAN nic)?
0
 
SonicVoomAuthor Commented:
I did some reading and I understand more now. I need to disable NAT on SBS server, and create a route on Firebox from 192.168.11.6 (SBS WAN IP) to 192.168.16.0/24.

Is that all? Could it really be so simple?

I tested this by adding another router to the network as 192.168.11.9 and set a route of 192.168.11.9 to 192.168.5.0/24, and the two IP's behind it are showing in the Firebox logs.

So I've proven my concept, but I'd like to know... what I don't know.

Thanks
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
dpk_walCommented:
Yes you need to disabled NAT on SBS and add a route on your firebox and you would be done.

Other thing as you mentioned, if you wish, can configure WG on IP subnet 192.168.16.x but then you would additionally need to change default gateway on your machine to WG internal IP for best results.

Please let know if you need more details.

Thank you.
0
 
SonicVoomAuthor Commented:
If I create the route to 192.168.16.0/24 at gateway 192.168.11.6 before disabling NAT on 192.168.11.6, is there any reason why traffic could be interrupted? Nothing on the 192.168.11.x network will be attempting to communicate with the 192.168.16.x network yet, so no packets would be directed along that route. But what would happen if some were? I assume the packets would simply be dropped?

Is there any way that I could route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
0
 
dpk_walCommented:
If you add route and your SBS still does NAT there would be NO harm.
Even if somehow WG receives packet from 16.x network it would do necessary NAT [as needed] and finally forward them to your SBS. Here, if your SBS drops or forwards the packet, need to be seen and I cannot comment.

>> route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
Route packets to which destination; and which device does NAT for all other traffic; what is this all other traffic. Provide more details so I can answer this question.

Thank you.
0
 
SonicVoomAuthor Commented:
I mean, could I keep NAT active on the server, but allow a single IP address on the 11.x network (outside of the lan/server) access through the server (to the 16.x network) as though NAT were disabled?
0
 
dpk_walCommented:
As the 16.x network is behind SBS, none of the devices on 11.x network has knowledge that NAT exists. For them SBS is sending traffic to different host on 11.x subnet or to outside world.
If you wish any device on 11.x to connect to any other machine on 16.x network, you would need to configure destination NAT on SBS. Using 11.x IP of SBS or any other free IP on 11.x subnet, any other machine on 11.x subnet would send packet; SBS would do NAT and further send the packet to correct machine on 16.x network.

Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.