rmj6969
asked on
Firebox X Edge NAT issue
Trying to confiure a NAT on a Watchguard Firebox X Edge v7.5. We need to allow an external IP to see an internal/trusted IP to allow printing over a WiFi connection. We have set the filter rule on the firewall, however the connection is notworking, nor can we telnet to the address from the wireless connection on port 9100.
Please see attachment for current setup
I guess we need to know if this device can even do what we are asking, if so, then what we are missing or doing wrong. Thanks in advance.
firebox001.jpg
firebox002.jpg
Please see attachment for current setup
I guess we need to know if this device can even do what we are asking, if so, then what we are missing or doing wrong. Thanks in advance.
firebox001.jpg
firebox002.jpg
ASKER
Ok, here is the setup. We are on a hospital network (see attached image 004 for connection info). We are also on there wireless network which is a different IP net. The hospital IT dept. has setup the wireless NET to see the 10.5.17.* NET that we connect to. So on our end we need to enable or allow the IP's they have given us for NAT'g to devices on out Trusted NET for the wireless devices (laptops, etc.) to be able to print, see the server, etc.
We were asked to NAT the following:
10.5.17.46/16 > 192.168.1.201(server) port 443
10.5.17.47/16 > 192.168.1.30(fax server) port 443
10.5.17.48/16 > 192.168.1.230(printer) port 9100
The wireless NET (10.50.57.*) needs to be able to see the addresses above.
The wireless NET does see the External address of 10.5.17.50/16, we can telnet this and connect, but not the above addresses.
firebox003.jpg
firebox004.jpg
firebox005.jpg
We were asked to NAT the following:
10.5.17.46/16 > 192.168.1.201(server) port 443
10.5.17.47/16 > 192.168.1.30(fax server) port 443
10.5.17.48/16 > 192.168.1.230(printer) port 9100
The wireless NET (10.50.57.*) needs to be able to see the addresses above.
The wireless NET does see the External address of 10.5.17.50/16, we can telnet this and connect, but not the above addresses.
firebox003.jpg
firebox004.jpg
firebox005.jpg
ASKER
The Device is a Watchguard Firebox Edge 7.5
Build 19
Boot Rom - 7.2.1
Model X5
Build 19
Boot Rom - 7.2.1
Model X5
Please ensure that there is no blocked subnet 10.0.0.0/8 or 192.168.0.0/16 under Firewall->Blocked Sites.
Please note as you running 7.5 version of WG software you cannot use more than public IP address on the external interface.
You can only create incoming service to allow inbound traffic on IP of external interface: 10.5.17.50. WG would not listed to other IP addresses and would not NAT the traffic to internal hosts on other IP address.
>> We were asked to NAT the following:
>> 10.5.17.46/16 > 192.168.1.201(server) port 443
>> 10.5.17.47/16 > 192.168.1.30(fax server) port 443
>> 10.5.17.48/16 > 192.168.1.230(printer) port 9100
Instead you can use 10.5.17.50 IP and use different ports to forward traffic to 192.168.1.0/24 subnet.
You would create custom service. As per firebox001.jpg; change Allow from to either ANY or 10.5.0.0/16 or if you wish only specific machines then specify individual/range IPs of those hosts.
Please let know if you need more details.
Thank you.
Please note as you running 7.5 version of WG software you cannot use more than public IP address on the external interface.
You can only create incoming service to allow inbound traffic on IP of external interface: 10.5.17.50. WG would not listed to other IP addresses and would not NAT the traffic to internal hosts on other IP address.
>> We were asked to NAT the following:
>> 10.5.17.46/16 > 192.168.1.201(server) port 443
>> 10.5.17.47/16 > 192.168.1.30(fax server) port 443
>> 10.5.17.48/16 > 192.168.1.230(printer) port 9100
Instead you can use 10.5.17.50 IP and use different ports to forward traffic to 192.168.1.0/24 subnet.
You would create custom service. As per firebox001.jpg; change Allow from to either ANY or 10.5.0.0/16 or if you wish only specific machines then specify individual/range IPs of those hosts.
Please let know if you need more details.
Thank you.
ASKER
Can you give me an example of what you mean below:
Instead you can use 10.5.17.50 IP and use different ports to forward traffic to 192.168.1.0/24 subnet.
You would create custom service. As per firebox001.jpg; change Allow from to either ANY or 10.5.0.0/16 or if you wish only specific machines then specify individual/range IPs of those hosts.
Instead you can use 10.5.17.50 IP and use different ports to forward traffic to 192.168.1.0/24 subnet.
You would create custom service. As per firebox001.jpg; change Allow from to either ANY or 10.5.0.0/16 or if you wish only specific machines then specify individual/range IPs of those hosts.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
So ever since I configured the router in the way you explained, all devices are able to be connected to, except now a PC that had a RDP cannot be connected to. We cannot RDP to only one PC that does have a rule in the router for RDP, I also cannot telnet into it using port 3389. I can however RDP into any other PC including the server. This is all local area network. I have checked the PC in question, firewall, etc. and nothing has changed. It seems to a coincidence that this is happening, but I thought if you had any insight inb the matter. The RDP rule on the router for this PC is:
Port used: 3389
Allow IP 192.168.1.10 from ANY(10.5.17.50)
So ever since I configured the router in the way you explained, all devices are able to be connected to, except now a PC that had a RDP cannot be connected to. We cannot RDP to only one PC that does have a rule in the router for RDP, I also cannot telnet into it using port 3389. I can however RDP into any other PC including the server. This is all local area network. I have checked the PC in question, firewall, etc. and nothing has changed. It seems to a coincidence that this is happening, but I thought if you had any insight inb the matter. The RDP rule on the router for this PC is:
Port used: 3389
Allow IP 192.168.1.10 from ANY(10.5.17.50)
If you have say optional and trusted network; with 10.5.17.48/16 being on optional then this should work.
Please give some details on the setup.
Thank you.