Solved

1 to 1 NAT question

Posted on 2013-02-01
13
422 Views
Last Modified: 2013-02-05
Simple question here. If I one to one NAT my servers am I basically bypassing the firewall? I have 6 static IP from my ISP that I am wanting to set up for multiple web servers, as well as email server. I am having all kinds of problems trying to get it working correctly. I am trying to set up a watchguard device, but if they are not going to be protected, I will just scrap the ideal and set up firewalls on them, and scrap the security appliance.
0
Comment
Question by:ITmanage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 2
13 Comments
 
LVL 16

Accepted Solution

by:
choward16980 earned 500 total points
ID: 38845365
This was tested on my watchguard 550e using Fireware 11 and Policy Manager 11.6.3 U1

You don't want 1:1 NAT

For the websites:

-open WSM.
-open Policy Manger.
-click Network
-click Configuration
-on interfaces tab, click External
-click configure
-click secondary tab on interface settings
-add your six static IPs
-click ok and ok again to get back to policy manager.
-click edit
-click add Policy
-expand proxies
-highlight http(or https) and click Add  -(if both, repeat same steps for https and http to  create two separate rules)
-on the from, leave any-external and remove any trusted
-in the To box, remove any-external and click add
-click add NAT
-select from the list of external ips and assign them to your internals  (self explanatory)
-click Ok, Ok and close.  
-save config

Do this first, report back and I'll give you the step by step for SMTP proxy.  (it requires a little tweaking)
0
 
LVL 5

Expert Comment

by:jake77444
ID: 38845367
Do you have a router to route the traffic?  I wouldn't scrap the hardware firewall but yes it is possible depending on the equipment but not best practice.

In my opinion you may be better off troubleshooting the issue with the security appliance.
0
 
LVL 16

Expert Comment

by:choward16980
ID: 38845380
EDIT on my comment above.
-on the from, leave any-external and remove any trusted  (any trusted may not be there)
-in the To box, remove any-external and click add  (it should say none, in which case skip this step)



And please, don't sub a watchguard for a software firewall.  That's like swapping a SWAT captain for Paul Blart.
0
Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

 

Author Comment

by:ITmanage
ID: 38845398
choward16980 I have with no dice. I can get out, but not in. I let ping access, and can ping the IP address I used for the WAN interface, but nothing else. Thanks Jake.
0
 

Author Comment

by:ITmanage
ID: 38845406
haha choward!
0
 

Author Comment

by:ITmanage
ID: 38845415
figure1
0
 

Author Comment

by:ITmanage
ID: 38845420
figure2
figure2.jpg
0
 

Author Comment

by:ITmanage
ID: 38845422
figure1
figure1.jpg
0
 

Author Comment

by:ITmanage
ID: 38845426
figure3
figure3.jpg
0
 

Author Comment

by:ITmanage
ID: 38845431
figure4
figure4.jpg
0
 

Author Comment

by:ITmanage
ID: 38845435
figure5...this is for the webserver 192.168.20.223, not the email 192.168.20.13, but same I have done the same for both
figure5.jpg
0
 

Author Comment

by:ITmanage
ID: 38845443
I attached the config file.
XTM-2-Series.xml
0
 

Author Closing Comment

by:ITmanage
ID: 38855089
You were correct, as I assumed you were, but still couldn't get it to work. After extensive logging, I found there was managed switch issue. Thanks again.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your computer hacked? learn how to detect and delete malware in your PC
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question