Solved

1 to 1 NAT question

Posted on 2013-02-01
13
418 Views
Last Modified: 2013-02-05
Simple question here. If I one to one NAT my servers am I basically bypassing the firewall? I have 6 static IP from my ISP that I am wanting to set up for multiple web servers, as well as email server. I am having all kinds of problems trying to get it working correctly. I am trying to set up a watchguard device, but if they are not going to be protected, I will just scrap the ideal and set up firewalls on them, and scrap the security appliance.
0
Comment
Question by:ITmanage
  • 10
  • 2
13 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 500 total points
ID: 38845365
This was tested on my watchguard 550e using Fireware 11 and Policy Manager 11.6.3 U1

You don't want 1:1 NAT

For the websites:

-open WSM.
-open Policy Manger.
-click Network
-click Configuration
-on interfaces tab, click External
-click configure
-click secondary tab on interface settings
-add your six static IPs
-click ok and ok again to get back to policy manager.
-click edit
-click add Policy
-expand proxies
-highlight http(or https) and click Add  -(if both, repeat same steps for https and http to  create two separate rules)
-on the from, leave any-external and remove any trusted
-in the To box, remove any-external and click add
-click add NAT
-select from the list of external ips and assign them to your internals  (self explanatory)
-click Ok, Ok and close.  
-save config

Do this first, report back and I'll give you the step by step for SMTP proxy.  (it requires a little tweaking)
0
 
LVL 5

Expert Comment

by:jake77444
ID: 38845367
Do you have a router to route the traffic?  I wouldn't scrap the hardware firewall but yes it is possible depending on the equipment but not best practice.

In my opinion you may be better off troubleshooting the issue with the security appliance.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38845380
EDIT on my comment above.
-on the from, leave any-external and remove any trusted  (any trusted may not be there)
-in the To box, remove any-external and click add  (it should say none, in which case skip this step)



And please, don't sub a watchguard for a software firewall.  That's like swapping a SWAT captain for Paul Blart.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:ITmanage
ID: 38845398
choward16980 I have with no dice. I can get out, but not in. I let ping access, and can ping the IP address I used for the WAN interface, but nothing else. Thanks Jake.
0
 

Author Comment

by:ITmanage
ID: 38845406
haha choward!
0
 

Author Comment

by:ITmanage
ID: 38845415
figure1
0
 

Author Comment

by:ITmanage
ID: 38845420
figure2
figure2.jpg
0
 

Author Comment

by:ITmanage
ID: 38845422
figure1
figure1.jpg
0
 

Author Comment

by:ITmanage
ID: 38845426
figure3
figure3.jpg
0
 

Author Comment

by:ITmanage
ID: 38845431
figure4
figure4.jpg
0
 

Author Comment

by:ITmanage
ID: 38845435
figure5...this is for the webserver 192.168.20.223, not the email 192.168.20.13, but same I have done the same for both
figure5.jpg
0
 

Author Comment

by:ITmanage
ID: 38845443
I attached the config file.
XTM-2-Series.xml
0
 

Author Closing Comment

by:ITmanage
ID: 38855089
You were correct, as I assumed you were, but still couldn't get it to work. After extensive logging, I found there was managed switch issue. Thanks again.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Botnet detection help me please 21 133
Firewall report connections 8 93
Windows Server: configure snmp security to accept subnet 7 30
Home firewall recommendations 11 42
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question