Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

use FireBox logging with SBS 2003 network

Posted on 2012-03-09
8
Medium Priority
?
518 Views
Last Modified: 2012-04-18
I'm working out a better configuration for the network in our office.

Currently, a Firebox x20e in mixed routing mode sits between the cable modem and the WAN port of the windows server. The server's LAN port connects to the office network; workstations printers and a few misc. Workers commonly connect to their desktops via RWW.

In particular, I want to take advantage of the Firebox's logging features. It is currently quite limited, as the LAN traffic is all NAT'd through the server, so there is only one IP source of internal traffic.

Will I need to modify the network so that the Firebox is the gateway? Is there some way of exposing the LAN to the firebox through the windows server?
0
Comment
Question by:SonicVoom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 32

Accepted Solution

by:
dpk_wal earned 2000 total points
ID: 37706015
It would be preferred to have firebox do NAT, either directly by making change on servers to send traffic to firebox.
Or you can configure your windows server to route traffic rather than NAT and then have firebox do NAT. In this case change on your network would be minimal. You would need to add a network route on your firebox.

Please note the firebox depending on model sometimes supports limited users; if so, please check that your current devices do not exceed the allowed user count [if applicable]; otherwise you would need to provision additional licenses. Having windows server do NAT, you only consume single user license, but then loose logging/reporting facilities on firebox.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37712148
The firebox's trusted network is currently 192.168.11.x. The NAT'd SBS network is 192.168.16.x. Either way that you suggest, I'll need these to be the same, correct?

If I'm understanding this correctly, I'll change the Firebox trusted network to 192.168.16.x.  Would I need to make a subnet (to be assigned by the SBS DHCP) so I can create the route to the ID of that subnet (which would be set to the SBS WAN nic)?
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37712492
I did some reading and I understand more now. I need to disable NAT on SBS server, and create a route on Firebox from 192.168.11.6 (SBS WAN IP) to 192.168.16.0/24.

Is that all? Could it really be so simple?

I tested this by adding another router to the network as 192.168.11.9 and set a route of 192.168.11.9 to 192.168.5.0/24, and the two IP's behind it are showing in the Firebox logs.

So I've proven my concept, but I'd like to know... what I don't know.

Thanks
0
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

 
LVL 32

Expert Comment

by:dpk_wal
ID: 37712947
Yes you need to disabled NAT on SBS and add a route on your firebox and you would be done.

Other thing as you mentioned, if you wish, can configure WG on IP subnet 192.168.16.x but then you would additionally need to change default gateway on your machine to WG internal IP for best results.

Please let know if you need more details.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37727107
If I create the route to 192.168.16.0/24 at gateway 192.168.11.6 before disabling NAT on 192.168.11.6, is there any reason why traffic could be interrupted? Nothing on the 192.168.11.x network will be attempting to communicate with the 192.168.16.x network yet, so no packets would be directed along that route. But what would happen if some were? I assume the packets would simply be dropped?

Is there any way that I could route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37732459
If you add route and your SBS still does NAT there would be NO harm.
Even if somehow WG receives packet from 16.x network it would do necessary NAT [as needed] and finally forward them to your SBS. Here, if your SBS drops or forwards the packet, need to be seen and I cannot comment.

>> route packets from a specified 11.x IP address (my vpn IP) while continuing to perform NAT for all other traffic?
Route packets to which destination; and which device does NAT for all other traffic; what is this all other traffic. Provide more details so I can answer this question.

Thank you.
0
 
LVL 2

Author Comment

by:SonicVoom
ID: 37739865
I mean, could I keep NAT active on the server, but allow a single IP address on the 11.x network (outside of the lan/server) access through the server (to the 16.x network) as though NAT were disabled?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37740523
As the 16.x network is behind SBS, none of the devices on 11.x network has knowledge that NAT exists. For them SBS is sending traffic to different host on 11.x subnet or to outside world.
If you wish any device on 11.x to connect to any other machine on 16.x network, you would need to configure destination NAT on SBS. Using 11.x IP of SBS or any other free IP on 11.x subnet, any other machine on 11.x subnet would send packet; SBS would do NAT and further send the packet to correct machine on 16.x network.

Thank you.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question