Solved

1 to 1 NAT question

Posted on 2013-02-01
13
414 Views
Last Modified: 2013-02-05
Simple question here. If I one to one NAT my servers am I basically bypassing the firewall? I have 6 static IP from my ISP that I am wanting to set up for multiple web servers, as well as email server. I am having all kinds of problems trying to get it working correctly. I am trying to set up a watchguard device, but if they are not going to be protected, I will just scrap the ideal and set up firewalls on them, and scrap the security appliance.
0
Comment
Question by:ITmanage
  • 10
  • 2
13 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 500 total points
ID: 38845365
This was tested on my watchguard 550e using Fireware 11 and Policy Manager 11.6.3 U1

You don't want 1:1 NAT

For the websites:

-open WSM.
-open Policy Manger.
-click Network
-click Configuration
-on interfaces tab, click External
-click configure
-click secondary tab on interface settings
-add your six static IPs
-click ok and ok again to get back to policy manager.
-click edit
-click add Policy
-expand proxies
-highlight http(or https) and click Add  -(if both, repeat same steps for https and http to  create two separate rules)
-on the from, leave any-external and remove any trusted
-in the To box, remove any-external and click add
-click add NAT
-select from the list of external ips and assign them to your internals  (self explanatory)
-click Ok, Ok and close.  
-save config

Do this first, report back and I'll give you the step by step for SMTP proxy.  (it requires a little tweaking)
0
 
LVL 5

Expert Comment

by:jake77444
ID: 38845367
Do you have a router to route the traffic?  I wouldn't scrap the hardware firewall but yes it is possible depending on the equipment but not best practice.

In my opinion you may be better off troubleshooting the issue with the security appliance.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38845380
EDIT on my comment above.
-on the from, leave any-external and remove any trusted  (any trusted may not be there)
-in the To box, remove any-external and click add  (it should say none, in which case skip this step)



And please, don't sub a watchguard for a software firewall.  That's like swapping a SWAT captain for Paul Blart.
0
 

Author Comment

by:ITmanage
ID: 38845398
choward16980 I have with no dice. I can get out, but not in. I let ping access, and can ping the IP address I used for the WAN interface, but nothing else. Thanks Jake.
0
 

Author Comment

by:ITmanage
ID: 38845406
haha choward!
0
 

Author Comment

by:ITmanage
ID: 38845415
figure1
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:ITmanage
ID: 38845420
figure2
figure2.jpg
0
 

Author Comment

by:ITmanage
ID: 38845422
figure1
figure1.jpg
0
 

Author Comment

by:ITmanage
ID: 38845426
figure3
figure3.jpg
0
 

Author Comment

by:ITmanage
ID: 38845431
figure4
figure4.jpg
0
 

Author Comment

by:ITmanage
ID: 38845435
figure5...this is for the webserver 192.168.20.223, not the email 192.168.20.13, but same I have done the same for both
figure5.jpg
0
 

Author Comment

by:ITmanage
ID: 38845443
I attached the config file.
XTM-2-Series.xml
0
 

Author Closing Comment

by:ITmanage
ID: 38855089
You were correct, as I assumed you were, but still couldn't get it to work. After extensive logging, I found there was managed switch issue. Thanks again.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now