• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 426
  • Last Modified:

1 to 1 NAT question

Simple question here. If I one to one NAT my servers am I basically bypassing the firewall? I have 6 static IP from my ISP that I am wanting to set up for multiple web servers, as well as email server. I am having all kinds of problems trying to get it working correctly. I am trying to set up a watchguard device, but if they are not going to be protected, I will just scrap the ideal and set up firewalls on them, and scrap the security appliance.
0
ITmanage
Asked:
ITmanage
  • 10
  • 2
1 Solution
 
Chris HInfrastructure ManagerCommented:
This was tested on my watchguard 550e using Fireware 11 and Policy Manager 11.6.3 U1

You don't want 1:1 NAT

For the websites:

-open WSM.
-open Policy Manger.
-click Network
-click Configuration
-on interfaces tab, click External
-click configure
-click secondary tab on interface settings
-add your six static IPs
-click ok and ok again to get back to policy manager.
-click edit
-click add Policy
-expand proxies
-highlight http(or https) and click Add  -(if both, repeat same steps for https and http to  create two separate rules)
-on the from, leave any-external and remove any trusted
-in the To box, remove any-external and click add
-click add NAT
-select from the list of external ips and assign them to your internals  (self explanatory)
-click Ok, Ok and close.  
-save config

Do this first, report back and I'll give you the step by step for SMTP proxy.  (it requires a little tweaking)
0
 
jake77444Commented:
Do you have a router to route the traffic?  I wouldn't scrap the hardware firewall but yes it is possible depending on the equipment but not best practice.

In my opinion you may be better off troubleshooting the issue with the security appliance.
0
 
Chris HInfrastructure ManagerCommented:
EDIT on my comment above.
-on the from, leave any-external and remove any trusted  (any trusted may not be there)
-in the To box, remove any-external and click add  (it should say none, in which case skip this step)



And please, don't sub a watchguard for a software firewall.  That's like swapping a SWAT captain for Paul Blart.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
ITmanageAuthor Commented:
choward16980 I have with no dice. I can get out, but not in. I let ping access, and can ping the IP address I used for the WAN interface, but nothing else. Thanks Jake.
0
 
ITmanageAuthor Commented:
haha choward!
0
 
ITmanageAuthor Commented:
figure1
0
 
ITmanageAuthor Commented:
figure2
figure2.jpg
0
 
ITmanageAuthor Commented:
figure1
figure1.jpg
0
 
ITmanageAuthor Commented:
figure3
figure3.jpg
0
 
ITmanageAuthor Commented:
figure4
figure4.jpg
0
 
ITmanageAuthor Commented:
figure5...this is for the webserver 192.168.20.223, not the email 192.168.20.13, but same I have done the same for both
figure5.jpg
0
 
ITmanageAuthor Commented:
I attached the config file.
XTM-2-Series.xml
0
 
ITmanageAuthor Commented:
You were correct, as I assumed you were, but still couldn't get it to work. After extensive logging, I found there was managed switch issue. Thanks again.
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 10
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now