new install watchguard

Archived from groups: comp.security.firewalls (More info?)

Just trying to figure the best way to setup a new Firebox X 500 from
Watchguard.

The network is not that big about 50 users.

1 router - serial public IP Ethernet private IP. NAT translation on.

Router currently goes into a switch I want to place the firewall in between.

Do I need to turn NAT off of the router? I'm not sure if I need to or not.

Servers, users, printers, switches all on the same net 172.22.1.0

Switch 172.22.1.23 , router 172.22.1.15

What mode should I run the firebox in? On the network I have a 3 servers.
One is a domain controller/DHCP/DNS/File/print, Two is a DB/Web server (not
public) mostly for testing purposes, Three is a backup domain
controller/fax server.
5 answers Last reply
More about install watchguard
  1. Archived from groups: comp.security.firewalls (More info?)

    In article <25-dncWVpYiZN3jdRVn-iQ@adelphia.com>, grroberts@adelphia.net
    says...
    > Just trying to figure the best way to setup a new Firebox X 500 from
    > Watchguard.
    >
    > The network is not that big about 50 users.
    >
    > 1 router - serial public IP Ethernet private IP. NAT translation on.
    >
    > Router currently goes into a switch I want to place the firewall in between.
    >
    > Do I need to turn NAT off of the router? I'm not sure if I need to or not.
    >
    > Servers, users, printers, switches all on the same net 172.22.1.0
    >
    > Switch 172.22.1.23 , router 172.22.1.15
    >
    > What mode should I run the firebox in? On the network I have a 3 servers.
    > One is a domain controller/DHCP/DNS/File/print, Two is a DB/Web server (not
    > public) mostly for testing purposes, Three is a backup domain
    > controller/fax server.

    I would suggest Drop-In mode so that you don't have to change anything,
    but, if I were going to do it right, I would setup as follows:

    External to the ROUTER - no NAT on router, just the public IP.
    Trusted to your LAN, use the server to provide DHCP, DNS, etc... use
    172.22.1.0/24 for your LAN subnet
    Options to your secondary test network - you could make it 172.22.2.0/24
    or anything else.

    Make sure that you do the worksheet so that you have your LAN and DMZ
    setup and so that you can get out past the FB once you hook it to the
    router's public IP.

    If you do the full setup you can then VPN (PPTP) into the firewall from
    home and manage all your systems over the internet through the tunnel.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  2. Archived from groups: comp.security.firewalls (More info?)

    So currently I have a cisco 1720 I can just take the NAT stuff off and pass
    everything through to the firewall. Do I just make the Ethernet port on the
    router the same as the public IP address on the serial interface or use a
    different public address I think the ISP gave us 3 or 4 of them.

    Sorry never set one of these up. Just trying to figure out my options
    before I do anything.


    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b4f781c448f27a798a729@news-server.columbus.rr.com...
    > In article <25-dncWVpYiZN3jdRVn-iQ@adelphia.com>, grroberts@adelphia.net
    > says...
    > > Just trying to figure the best way to setup a new Firebox X 500 from
    > > Watchguard.
    > >
    > > The network is not that big about 50 users.
    > >
    > > 1 router - serial public IP Ethernet private IP. NAT translation on.
    > >
    > > Router currently goes into a switch I want to place the firewall in
    between.
    > >
    > > Do I need to turn NAT off of the router? I'm not sure if I need to or
    not.
    > >
    > > Servers, users, printers, switches all on the same net 172.22.1.0
    > >
    > > Switch 172.22.1.23 , router 172.22.1.15
    > >
    > > What mode should I run the firebox in? On the network I have a 3
    servers.
    > > One is a domain controller/DHCP/DNS/File/print, Two is a DB/Web server
    (not
    > > public) mostly for testing purposes, Three is a backup domain
    > > controller/fax server.
    >
    > I would suggest Drop-In mode so that you don't have to change anything,
    > but, if I were going to do it right, I would setup as follows:
    >
    > External to the ROUTER - no NAT on router, just the public IP.
    > Trusted to your LAN, use the server to provide DHCP, DNS, etc... use
    > 172.22.1.0/24 for your LAN subnet
    > Options to your secondary test network - you could make it 172.22.2.0/24
    > or anything else.
    >
    > Make sure that you do the worksheet so that you have your LAN and DMZ
    > setup and so that you can get out past the FB once you hook it to the
    > router's public IP.
    >
    > If you do the full setup you can then VPN (PPTP) into the firewall from
    > home and manage all your systems over the internet through the tunnel.
    >
    >
    > --
    > --
    > spamfree999@rrohio.com
    > (Remove 999 to reply to me)
  3. Archived from groups: comp.security.firewalls (More info?)

    In article <s9GdnYDE-6IhLHjd4p2dnA@adelphia.com>, grroberts@adelphia.net
    says...
    > So currently I have a cisco 1720 I can just take the NAT stuff off and pass
    > everything through to the firewall. Do I just make the Ethernet port on the
    > router the same as the public IP address on the serial interface or use a
    > different public address I think the ISP gave us 3 or 4 of them.
    >
    > Sorry never set one of these up. Just trying to figure out my options
    > before I do anything.

    I'm not exactly sure - the 1720 is a router, you should have X number of
    IP, make the firewall public side the first of them, in fact, assign it
    the fist IP in the series, then add the others, make sure that you get
    the default gateway and the mask (it might be a /30) correct for the
    public side.

    Once you get it setup for public, setup the trusted side with your
    internal addresses - don't connect it to the network yet. Set the
    firebox to provide DHCP services - just to test everything.

    Now, take one computer that is DHCP enabled, connect it to the LAN, same
    one you are using to setup the FB will work - since you are going to
    need the management interface. Connect the FB External to the CISCO,
    connect the PC to the Trusted port, turn on the PC, get an IP, and as
    long as you've permitted DNS and HTTP outbound, then you should be able
    to browse to google.com and get a page.

    Now that you know the system works, you can expand on it from there.

    You could also leave the CISCO and router in place and set the FB up on
    one of you unused public IP to test it - in fact, unless you are using
    the other IP, I would suggest that you use one of those spare public
    addresses until you get use to working with the FB.

    One more thing - please post at the BOTTOM of the message, it follows
    usenet etiquette standards.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  4. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.com> wrote in message
    news:MPG.1b4f80ff772bcc5398a72b@news-server.columbus.rr.com...
    > In article <s9GdnYDE-6IhLHjd4p2dnA@adelphia.com>, grroberts@adelphia.net
    > says...
    > > So currently I have a cisco 1720 I can just take the NAT stuff off and
    pass
    > > everything through to the firewall. Do I just make the Ethernet port on
    the
    > > router the same as the public IP address on the serial interface or use
    a
    > > different public address I think the ISP gave us 3 or 4 of them.
    > >
    > > Sorry never set one of these up. Just trying to figure out my options
    > > before I do anything.
    >
    > I'm not exactly sure - the 1720 is a router, you should have X number of
    > IP, make the firewall public side the first of them, in fact, assign it
    > the fist IP in the series, then add the others, make sure that you get
    > the default gateway and the mask (it might be a /30) correct for the
    > public side.
    >
    > Once you get it setup for public, setup the trusted side with your
    > internal addresses - don't connect it to the network yet. Set the
    > firebox to provide DHCP services - just to test everything.
    >
    > Now, take one computer that is DHCP enabled, connect it to the LAN, same
    > one you are using to setup the FB will work - since you are going to
    > need the management interface. Connect the FB External to the CISCO,
    > connect the PC to the Trusted port, turn on the PC, get an IP, and as
    > long as you've permitted DNS and HTTP outbound, then you should be able
    > to browse to google.com and get a page.
    >
    > Now that you know the system works, you can expand on it from there.
    >
    > You could also leave the CISCO and router in place and set the FB up on
    > one of you unused public IP to test it - in fact, unless you are using
    > the other IP, I would suggest that you use one of those spare public
    > addresses until you get use to working with the FB.
    >
    > One more thing - please post at the BOTTOM of the message, it follows
    > usenet etiquette standards.
    >
    > --
    > --
    > spamfree999@rrohio.com
    > (Remove 999 to reply to me)

    Sorry for all the questions but this is my first one. Just want to make
    sure I'm doing it
    right.

    Public IPs from the ISP - Not real numbers made up.

    serial block - 172.35.21.230/30
    Serial interface to router - 172.35.21.232
    Gateway (ISP) - 172.35.21.231
    Address Block - 172.35.21.192/29
    Network IP - 172.35.21.192
    Broadcast IP - 172.35.21.199

    Usable IPs - 172.75.23.193 - 172.75.23.198


    INTERNAL Network IPs.
    Gateway - 10.23.1.15
    Switch - 10.23.1.23
    users - 10.23.1.100 - 10.23.1.200

    Right now without the FB the router serial interface uses 172.35.21.232
    The Ethernet or internal interface uses 10.23.1.15

    The router is using NAT, when setting up the FB do I turn off NAT? What
    IPs does the router serial and ethernet interfaces become? What would the
    FB external interface become.

    I guess I'm trying to get an understanding of how it flows from the router
    to the
    firewall to the internal network just to have a better understanding of how
    it works.

    Thanks for all your help.

    George
  5. Archived from groups: comp.security.firewalls (More info?)

    In article <4N6dnWaEjupLJnfd4p2dnA@adelphia.com>, grroberts@adelphia.net
    says...
    >
    > "Leythos" <void@nowhere.com> wrote in message
    > news:MPG.1b4f80ff772bcc5398a72b@news-server.columbus.rr.com...
    > > In article <s9GdnYDE-6IhLHjd4p2dnA@adelphia.com>, grroberts@adelphia.net
    > > says...
    > > > So currently I have a cisco 1720 I can just take the NAT stuff off and
    > pass
    > > > everything through to the firewall. Do I just make the Ethernet port on
    > the
    > > > router the same as the public IP address on the serial interface or use
    > a
    > > > different public address I think the ISP gave us 3 or 4 of them.
    > > >
    > > > Sorry never set one of these up. Just trying to figure out my options
    > > > before I do anything.
    > >
    > > I'm not exactly sure - the 1720 is a router, you should have X number of
    > > IP, make the firewall public side the first of them, in fact, assign it
    > > the fist IP in the series, then add the others, make sure that you get
    > > the default gateway and the mask (it might be a /30) correct for the
    > > public side.
    > >
    > > Once you get it setup for public, setup the trusted side with your
    > > internal addresses - don't connect it to the network yet. Set the
    > > firebox to provide DHCP services - just to test everything.
    > >
    > > Now, take one computer that is DHCP enabled, connect it to the LAN, same
    > > one you are using to setup the FB will work - since you are going to
    > > need the management interface. Connect the FB External to the CISCO,
    > > connect the PC to the Trusted port, turn on the PC, get an IP, and as
    > > long as you've permitted DNS and HTTP outbound, then you should be able
    > > to browse to google.com and get a page.
    > >
    > > Now that you know the system works, you can expand on it from there.
    > >
    > > You could also leave the CISCO and router in place and set the FB up on
    > > one of you unused public IP to test it - in fact, unless you are using
    > > the other IP, I would suggest that you use one of those spare public
    > > addresses until you get use to working with the FB.
    > >
    > > One more thing - please post at the BOTTOM of the message, it follows
    > > usenet etiquette standards.
    > >
    > > --
    > > --
    > > spamfree999@rrohio.com
    > > (Remove 999 to reply to me)
    >
    > Sorry for all the questions but this is my first one. Just want to make
    > sure I'm doing it
    > right.
    >
    > Public IPs from the ISP - Not real numbers made up.
    >
    > serial block - 172.35.21.230/30
    > Serial interface to router - 172.35.21.232
    > Gateway (ISP) - 172.35.21.231
    > Address Block - 172.35.21.192/29
    > Network IP - 172.35.21.192
    > Broadcast IP - 172.35.21.199
    >
    > Usable IPs - 172.75.23.193 - 172.75.23.198
    >
    >
    > INTERNAL Network IPs.
    > Gateway - 10.23.1.15
    > Switch - 10.23.1.23
    > users - 10.23.1.100 - 10.23.1.200
    >
    > Right now without the FB the router serial interface uses 172.35.21.232
    > The Ethernet or internal interface uses 10.23.1.15
    >
    > The router is using NAT, when setting up the FB do I turn off NAT? What
    > IPs does the router serial and ethernet interfaces become? What would the
    > FB external interface become.
    >
    > I guess I'm trying to get an understanding of how it flows from the router
    > to the
    > firewall to the internal network just to have a better understanding of how
    > it works.
    >
    > Thanks for all your help.

    George - it's not a good idea to post all of your IP information to
    newsgroups - you should send me an email to the address in my sig
    (remove the 999 from it).

    As for your setup:

    It appears as though your router is assigning you a private IP address
    from the ISP - they are using 172.X block, and that's fine for most
    things, but we need to assign the firebox the PUBLIC IP Address, not a
    NAT address. While you can use a NAT address on the EXTERNAL port of the
    FB, I'm not entirely sure how things are going to work once you start
    doing NAT on the TRUSTED ports of the firebox. What I mean is that it
    should work, but that a double NAT often causes problems - get the
    PUBLIC IP from your ISP and assign it to the firebox EXTERNAL port.

    Next, you choice of IP for the TRUSTED LAN - The firebox is going to be
    your internal default gateway for all of your systems in the trusted
    area. In most cases, it's easiest to set the trusted interface to .1,
    such as 10.23.1.1. Not sure about your Switch - if it's a managed switch
    you will need an IP, but you need to get a spreadsheet setup with how
    you are going to assign IP's in your network:

    10.23.1.1 Gateway - Trusted Interface on Firewall
    10.23.1.2~9 Other FW/security devices
    10.23.1.10~19 Managed Switches and such
    10.23.1.30~49 Servers and such fixed IP addresses
    10.23.1.60~89 Network Printers, scanners, etc...
    10.23.1.100~199 DHCP Scope for users systems
    10.23.1.240~249 VPN Remote User Address - by firewall

    10.24.1.1 Gateway - Optional Interface on Firewall
    10.24.1.2~9 Other FW/security devices
    10.24.1.10~19 Managed Switches and such
    10.24.1.30~99 Web Servers and such - exposed systems

    And the list goes on - this is all subjective and depends on your
    network and what hardware/services you have in it.

    Unless you have a really BIG network, don't use 10.0.0.0/8 for a subnet,
    while it may seem easy/nice, it's a pain once you start trying to
    segment your network. In a lot of cases a 10.0.0.0/24 network will do
    for offices and SOHO users - I would suggest 192.168.10.0/24 in place of
    a 10.0.0.0/8 network.

    With the example I provided above, it would require that the 10.23 and
    the 10.24 not be in the same network.

    Now, as for getting from the External port to the trusted and inside:

    External - public IP/GW

    In the FB, make sure that you setup DNS with the ISP's DNS information
    so that the FB can resolve external IP addresses.

    Trusted - 10.23.1.1 (assigned to Trusted Port)
    - 255.255.255.0

    If you are running a DNS server in your network, get it setup and use
    Forwarders to point to the ISP's DNS servers for anything that is not in
    your local network.

    As for flowing:

    INTERNET
    |
    YOUR PUBLIC IP RANGE
    |
    YOUR ROUTER
    |
    YOUR ROUTERS IP RANGE (may also be natted)
    |
    FIREBOX External Interface - First Free IP from router, add others too
    |
    NAT Layer - Trusted 10.23.1.1/24 (10.23.1.1 is Trusted Interface IP)
    |
    NAT Layer - Optional 10.24.1.1/24 (10.24.1.1) is Optional Interface IP)
    |
    RULE SETS (determine in/out, ports, services)
    |
    Systems/Devices in Trusted or Optional Networks.




    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
Ask a new question

Read More

Firewalls Routers Networking