Sign in with
Sign up | Sign in
Your question

new install watchguard

Last response: in Networking
Share
July 2, 2004 6:31:31 PM

Archived from groups: comp.security.firewalls (More info?)

Just trying to figure the best way to setup a new Firebox X 500 from
Watchguard.

The network is not that big about 50 users.

1 router - serial public IP Ethernet private IP. NAT translation on.

Router currently goes into a switch I want to place the firewall in between.

Do I need to turn NAT off of the router? I'm not sure if I need to or not.

Servers, users, printers, switches all on the same net 172.22.1.0

Switch 172.22.1.23 , router 172.22.1.15

What mode should I run the firebox in? On the network I have a 3 servers.
One is a domain controller/DHCP/DNS/File/print, Two is a DB/Web server (not
public) mostly for testing purposes, Three is a backup domain
controller/fax server.

More about : install watchguard

Anonymous
July 2, 2004 10:40:38 PM

Archived from groups: comp.security.firewalls (More info?)

In article <25-dncWVpYiZN3jdRVn-iQ@adelphia.com>, grroberts@adelphia.net
says...
> Just trying to figure the best way to setup a new Firebox X 500 from
> Watchguard.
>
> The network is not that big about 50 users.
>
> 1 router - serial public IP Ethernet private IP. NAT translation on.
>
> Router currently goes into a switch I want to place the firewall in between.
>
> Do I need to turn NAT off of the router? I'm not sure if I need to or not.
>
> Servers, users, printers, switches all on the same net 172.22.1.0
>
> Switch 172.22.1.23 , router 172.22.1.15
>
> What mode should I run the firebox in? On the network I have a 3 servers.
> One is a domain controller/DHCP/DNS/File/print, Two is a DB/Web server (not
> public) mostly for testing purposes, Three is a backup domain
> controller/fax server.

I would suggest Drop-In mode so that you don't have to change anything,
but, if I were going to do it right, I would setup as follows:

External to the ROUTER - no NAT on router, just the public IP.
Trusted to your LAN, use the server to provide DHCP, DNS, etc... use
172.22.1.0/24 for your LAN subnet
Options to your secondary test network - you could make it 172.22.2.0/24
or anything else.

Make sure that you do the worksheet so that you have your LAN and DMZ
setup and so that you can get out past the FB once you hook it to the
router's public IP.

If you do the full setup you can then VPN (PPTP) into the firewall from
home and manage all your systems over the internet through the tunnel.


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
July 2, 2004 10:40:39 PM

Archived from groups: comp.security.firewalls (More info?)

So currently I have a cisco 1720 I can just take the NAT stuff off and pass
everything through to the firewall. Do I just make the Ethernet port on the
router the same as the public IP address on the serial interface or use a
different public address I think the ISP gave us 3 or 4 of them.

Sorry never set one of these up. Just trying to figure out my options
before I do anything.


"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b4f781c448f27a798a729@news-server.columbus.rr.com...
> In article <25-dncWVpYiZN3jdRVn-iQ@adelphia.com>, grroberts@adelphia.net
> says...
> > Just trying to figure the best way to setup a new Firebox X 500 from
> > Watchguard.
> >
> > The network is not that big about 50 users.
> >
> > 1 router - serial public IP Ethernet private IP. NAT translation on.
> >
> > Router currently goes into a switch I want to place the firewall in
between.
> >
> > Do I need to turn NAT off of the router? I'm not sure if I need to or
not.
> >
> > Servers, users, printers, switches all on the same net 172.22.1.0
> >
> > Switch 172.22.1.23 , router 172.22.1.15
> >
> > What mode should I run the firebox in? On the network I have a 3
servers.
> > One is a domain controller/DHCP/DNS/File/print, Two is a DB/Web server
(not
> > public) mostly for testing purposes, Three is a backup domain
> > controller/fax server.
>
> I would suggest Drop-In mode so that you don't have to change anything,
> but, if I were going to do it right, I would setup as follows:
>
> External to the ROUTER - no NAT on router, just the public IP.
> Trusted to your LAN, use the server to provide DHCP, DNS, etc... use
> 172.22.1.0/24 for your LAN subnet
> Options to your secondary test network - you could make it 172.22.2.0/24
> or anything else.
>
> Make sure that you do the worksheet so that you have your LAN and DMZ
> setup and so that you can get out past the FB once you hook it to the
> router's public IP.
>
> If you do the full setup you can then VPN (PPTP) into the firewall from
> home and manage all your systems over the internet through the tunnel.
>
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
Related resources
Anonymous
July 2, 2004 11:18:29 PM

Archived from groups: comp.security.firewalls (More info?)

In article <s9GdnYDE-6IhLHjd4p2dnA@adelphia.com>, grroberts@adelphia.net
says...
> So currently I have a cisco 1720 I can just take the NAT stuff off and pass
> everything through to the firewall. Do I just make the Ethernet port on the
> router the same as the public IP address on the serial interface or use a
> different public address I think the ISP gave us 3 or 4 of them.
>
> Sorry never set one of these up. Just trying to figure out my options
> before I do anything.

I'm not exactly sure - the 1720 is a router, you should have X number of
IP, make the firewall public side the first of them, in fact, assign it
the fist IP in the series, then add the others, make sure that you get
the default gateway and the mask (it might be a /30) correct for the
public side.

Once you get it setup for public, setup the trusted side with your
internal addresses - don't connect it to the network yet. Set the
firebox to provide DHCP services - just to test everything.

Now, take one computer that is DHCP enabled, connect it to the LAN, same
one you are using to setup the FB will work - since you are going to
need the management interface. Connect the FB External to the CISCO,
connect the PC to the Trusted port, turn on the PC, get an IP, and as
long as you've permitted DNS and HTTP outbound, then you should be able
to browse to google.com and get a page.

Now that you know the system works, you can expand on it from there.

You could also leave the CISCO and router in place and set the FB up on
one of you unused public IP to test it - in fact, unless you are using
the other IP, I would suggest that you use one of those spare public
addresses until you get use to working with the FB.

One more thing - please post at the BOTTOM of the message, it follows
usenet etiquette standards.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
July 6, 2004 2:48:53 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.com> wrote in message
news:MPG.1b4f80ff772bcc5398a72b@news-server.columbus.rr.com...
> In article <s9GdnYDE-6IhLHjd4p2dnA@adelphia.com>, grroberts@adelphia.net
> says...
> > So currently I have a cisco 1720 I can just take the NAT stuff off and
pass
> > everything through to the firewall. Do I just make the Ethernet port on
the
> > router the same as the public IP address on the serial interface or use
a
> > different public address I think the ISP gave us 3 or 4 of them.
> >
> > Sorry never set one of these up. Just trying to figure out my options
> > before I do anything.
>
> I'm not exactly sure - the 1720 is a router, you should have X number of
> IP, make the firewall public side the first of them, in fact, assign it
> the fist IP in the series, then add the others, make sure that you get
> the default gateway and the mask (it might be a /30) correct for the
> public side.
>
> Once you get it setup for public, setup the trusted side with your
> internal addresses - don't connect it to the network yet. Set the
> firebox to provide DHCP services - just to test everything.
>
> Now, take one computer that is DHCP enabled, connect it to the LAN, same
> one you are using to setup the FB will work - since you are going to
> need the management interface. Connect the FB External to the CISCO,
> connect the PC to the Trusted port, turn on the PC, get an IP, and as
> long as you've permitted DNS and HTTP outbound, then you should be able
> to browse to google.com and get a page.
>
> Now that you know the system works, you can expand on it from there.
>
> You could also leave the CISCO and router in place and set the FB up on
> one of you unused public IP to test it - in fact, unless you are using
> the other IP, I would suggest that you use one of those spare public
> addresses until you get use to working with the FB.
>
> One more thing - please post at the BOTTOM of the message, it follows
> usenet etiquette standards.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)

Sorry for all the questions but this is my first one. Just want to make
sure I'm doing it
right.

Public IPs from the ISP - Not real numbers made up.

serial block - 172.35.21.230/30
Serial interface to router - 172.35.21.232
Gateway (ISP) - 172.35.21.231
Address Block - 172.35.21.192/29
Network IP - 172.35.21.192
Broadcast IP - 172.35.21.199

Usable IPs - 172.75.23.193 - 172.75.23.198


INTERNAL Network IPs.
Gateway - 10.23.1.15
Switch - 10.23.1.23
users - 10.23.1.100 - 10.23.1.200

Right now without the FB the router serial interface uses 172.35.21.232
The Ethernet or internal interface uses 10.23.1.15

The router is using NAT, when setting up the FB do I turn off NAT? What
IPs does the router serial and ethernet interfaces become? What would the
FB external interface become.

I guess I'm trying to get an understanding of how it flows from the router
to the
firewall to the internal network just to have a better understanding of how
it works.

Thanks for all your help.

George
Anonymous
July 6, 2004 8:01:45 PM

Archived from groups: comp.security.firewalls (More info?)

In article <4N6dnWaEjupLJnfd4p2dnA@adelphia.com>, grroberts@adelphia.net
says...
>
> "Leythos" <void@nowhere.com> wrote in message
> news:MPG.1b4f80ff772bcc5398a72b@news-server.columbus.rr.com...
> > In article <s9GdnYDE-6IhLHjd4p2dnA@adelphia.com>, grroberts@adelphia.net
> > says...
> > > So currently I have a cisco 1720 I can just take the NAT stuff off and
> pass
> > > everything through to the firewall. Do I just make the Ethernet port on
> the
> > > router the same as the public IP address on the serial interface or use
> a
> > > different public address I think the ISP gave us 3 or 4 of them.
> > >
> > > Sorry never set one of these up. Just trying to figure out my options
> > > before I do anything.
> >
> > I'm not exactly sure - the 1720 is a router, you should have X number of
> > IP, make the firewall public side the first of them, in fact, assign it
> > the fist IP in the series, then add the others, make sure that you get
> > the default gateway and the mask (it might be a /30) correct for the
> > public side.
> >
> > Once you get it setup for public, setup the trusted side with your
> > internal addresses - don't connect it to the network yet. Set the
> > firebox to provide DHCP services - just to test everything.
> >
> > Now, take one computer that is DHCP enabled, connect it to the LAN, same
> > one you are using to setup the FB will work - since you are going to
> > need the management interface. Connect the FB External to the CISCO,
> > connect the PC to the Trusted port, turn on the PC, get an IP, and as
> > long as you've permitted DNS and HTTP outbound, then you should be able
> > to browse to google.com and get a page.
> >
> > Now that you know the system works, you can expand on it from there.
> >
> > You could also leave the CISCO and router in place and set the FB up on
> > one of you unused public IP to test it - in fact, unless you are using
> > the other IP, I would suggest that you use one of those spare public
> > addresses until you get use to working with the FB.
> >
> > One more thing - please post at the BOTTOM of the message, it follows
> > usenet etiquette standards.
> >
> > --
> > --
> > spamfree999@rrohio.com
> > (Remove 999 to reply to me)
>
> Sorry for all the questions but this is my first one. Just want to make
> sure I'm doing it
> right.
>
> Public IPs from the ISP - Not real numbers made up.
>
> serial block - 172.35.21.230/30
> Serial interface to router - 172.35.21.232
> Gateway (ISP) - 172.35.21.231
> Address Block - 172.35.21.192/29
> Network IP - 172.35.21.192
> Broadcast IP - 172.35.21.199
>
> Usable IPs - 172.75.23.193 - 172.75.23.198
>
>
> INTERNAL Network IPs.
> Gateway - 10.23.1.15
> Switch - 10.23.1.23
> users - 10.23.1.100 - 10.23.1.200
>
> Right now without the FB the router serial interface uses 172.35.21.232
> The Ethernet or internal interface uses 10.23.1.15
>
> The router is using NAT, when setting up the FB do I turn off NAT? What
> IPs does the router serial and ethernet interfaces become? What would the
> FB external interface become.
>
> I guess I'm trying to get an understanding of how it flows from the router
> to the
> firewall to the internal network just to have a better understanding of how
> it works.
>
> Thanks for all your help.

George - it's not a good idea to post all of your IP information to
newsgroups - you should send me an email to the address in my sig
(remove the 999 from it).

As for your setup:

It appears as though your router is assigning you a private IP address
from the ISP - they are using 172.X block, and that's fine for most
things, but we need to assign the firebox the PUBLIC IP Address, not a
NAT address. While you can use a NAT address on the EXTERNAL port of the
FB, I'm not entirely sure how things are going to work once you start
doing NAT on the TRUSTED ports of the firebox. What I mean is that it
should work, but that a double NAT often causes problems - get the
PUBLIC IP from your ISP and assign it to the firebox EXTERNAL port.

Next, you choice of IP for the TRUSTED LAN - The firebox is going to be
your internal default gateway for all of your systems in the trusted
area. In most cases, it's easiest to set the trusted interface to .1,
such as 10.23.1.1. Not sure about your Switch - if it's a managed switch
you will need an IP, but you need to get a spreadsheet setup with how
you are going to assign IP's in your network:

10.23.1.1 Gateway - Trusted Interface on Firewall
10.23.1.2~9 Other FW/security devices
10.23.1.10~19 Managed Switches and such
10.23.1.30~49 Servers and such fixed IP addresses
10.23.1.60~89 Network Printers, scanners, etc...
10.23.1.100~199 DHCP Scope for users systems
10.23.1.240~249 VPN Remote User Address - by firewall

10.24.1.1 Gateway - Optional Interface on Firewall
10.24.1.2~9 Other FW/security devices
10.24.1.10~19 Managed Switches and such
10.24.1.30~99 Web Servers and such - exposed systems

And the list goes on - this is all subjective and depends on your
network and what hardware/services you have in it.

Unless you have a really BIG network, don't use 10.0.0.0/8 for a subnet,
while it may seem easy/nice, it's a pain once you start trying to
segment your network. In a lot of cases a 10.0.0.0/24 network will do
for offices and SOHO users - I would suggest 192.168.10.0/24 in place of
a 10.0.0.0/8 network.

With the example I provided above, it would require that the 10.23 and
the 10.24 not be in the same network.

Now, as for getting from the External port to the trusted and inside:

External - public IP/GW

In the FB, make sure that you setup DNS with the ISP's DNS information
so that the FB can resolve external IP addresses.

Trusted - 10.23.1.1 (assigned to Trusted Port)
- 255.255.255.0

If you are running a DNS server in your network, get it setup and use
Forwarders to point to the ISP's DNS servers for anything that is not in
your local network.

As for flowing:

INTERNET
|
YOUR PUBLIC IP RANGE
|
YOUR ROUTER
|
YOUR ROUTERS IP RANGE (may also be natted)
|
FIREBOX External Interface - First Free IP from router, add others too
|
NAT Layer - Trusted 10.23.1.1/24 (10.23.1.1 is Trusted Interface IP)
|
NAT Layer - Optional 10.24.1.1/24 (10.24.1.1) is Optional Interface IP)
|
RULE SETS (determine in/out, ports, services)
|
Systems/Devices in Trusted or Optional Networks.




--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
!