?
Solved

1 to 1 NAT question

Posted on 2013-02-01
13
Medium Priority
?
425 Views
Last Modified: 2013-02-05
Simple question here. If I one to one NAT my servers am I basically bypassing the firewall? I have 6 static IP from my ISP that I am wanting to set up for multiple web servers, as well as email server. I am having all kinds of problems trying to get it working correctly. I am trying to set up a watchguard device, but if they are not going to be protected, I will just scrap the ideal and set up firewalls on them, and scrap the security appliance.
0
Comment
Question by:ITmanage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 2
13 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 2000 total points
ID: 38845365
This was tested on my watchguard 550e using Fireware 11 and Policy Manager 11.6.3 U1

You don't want 1:1 NAT

For the websites:

-open WSM.
-open Policy Manger.
-click Network
-click Configuration
-on interfaces tab, click External
-click configure
-click secondary tab on interface settings
-add your six static IPs
-click ok and ok again to get back to policy manager.
-click edit
-click add Policy
-expand proxies
-highlight http(or https) and click Add  -(if both, repeat same steps for https and http to  create two separate rules)
-on the from, leave any-external and remove any trusted
-in the To box, remove any-external and click add
-click add NAT
-select from the list of external ips and assign them to your internals  (self explanatory)
-click Ok, Ok and close.  
-save config

Do this first, report back and I'll give you the step by step for SMTP proxy.  (it requires a little tweaking)
0
 
LVL 5

Expert Comment

by:jake77444
ID: 38845367
Do you have a router to route the traffic?  I wouldn't scrap the hardware firewall but yes it is possible depending on the equipment but not best practice.

In my opinion you may be better off troubleshooting the issue with the security appliance.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38845380
EDIT on my comment above.
-on the from, leave any-external and remove any trusted  (any trusted may not be there)
-in the To box, remove any-external and click add  (it should say none, in which case skip this step)



And please, don't sub a watchguard for a software firewall.  That's like swapping a SWAT captain for Paul Blart.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:ITmanage
ID: 38845398
choward16980 I have with no dice. I can get out, but not in. I let ping access, and can ping the IP address I used for the WAN interface, but nothing else. Thanks Jake.
0
 

Author Comment

by:ITmanage
ID: 38845406
haha choward!
0
 

Author Comment

by:ITmanage
ID: 38845415
figure1
0
 

Author Comment

by:ITmanage
ID: 38845420
figure2
figure2.jpg
0
 

Author Comment

by:ITmanage
ID: 38845422
figure1
figure1.jpg
0
 

Author Comment

by:ITmanage
ID: 38845426
figure3
figure3.jpg
0
 

Author Comment

by:ITmanage
ID: 38845431
figure4
figure4.jpg
0
 

Author Comment

by:ITmanage
ID: 38845435
figure5...this is for the webserver 192.168.20.223, not the email 192.168.20.13, but same I have done the same for both
figure5.jpg
0
 

Author Comment

by:ITmanage
ID: 38845443
I attached the config file.
XTM-2-Series.xml
0
 

Author Closing Comment

by:ITmanage
ID: 38855089
You were correct, as I assumed you were, but still couldn't get it to work. After extensive logging, I found there was managed switch issue. Thanks again.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question