Configuration Example



Similar documents
Configuration Example

Configuration Example

Configuration Example

Configuration Example

Configuration Example

Configuration Example

WatchGuard Certified Training Partner (WCTP) Program

WatchGuard Certified Training Partner (WCTP) Program

WatchGuard Certified Training Partner (WCTP) Program

LinkProof DNS Quick Start Guide

How do I configure multi-wan in Routing Table mode?

WatchGuard XCSv Setup Guide

ASA/PIX: Load balancing between two ISP - options

Fireware Essentials Exam Study Guide

DOWNTIME CAN SPELL DISASTER

Fireware XTM Traffic Management

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Creating a VPN with overlapping subnets

WATCHGUARD FIREBOX SOHO 6TC AND SOHO 6

Core Protection Suite

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

WatchGuard System Manager User Guide. WatchGuard System Manager v8.0

Firebox X550e, Firebox X750e, Firebox X1250e Firebox X5500e, Firebox X6500e, Firebox X8500e, Firebox X8500e-F

Fireware How To Logging and Notification

Clustering and Queue Replication:

Serial Deployment Quick Start Guide

Using IPsec VPN to provide communication between offices

Best Practices: Pass-Through w/bypass (Bridge Mode)

How to set up Inbound Load Balance under Drop-in Mode

VPN Configuration Guide. Dealing with Identical Local and Remote Network Addresses

How To Manage Outgoing Traffic On Fireware Xtm

Fireware How To Network Configuration

WatchGuard XCS Exam Study Guide

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

nexvortex Setup Template

Chapter 3 Security and Firewall Protection

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

WatchGuard Technologies WatchGuard Technologies

VPN Tracker for Mac OS X

1 You will need the following items to get started:

How do I set up a branch office VPN tunnel with the Management Server?

For extra services running behind your router. What to do after IP change

Galileo International. Firewall & Proxy Specifications

Technical Brief ActiveSync Configuration for WatchGuard SSL 100

1:1 NAT in ZeroShell. Requirements. Overview. Network Setup

CMPT 471 Networking II

How Your Computer Accesses the Internet through your Wi-Fi for Boats Router

Digi Connect WAN Application Helper NAT, GRE, ESP and TCP/UPD Forwarding and IP Filtering

WatchGuard SSL Web UI 3.2 User Guide

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

VPN Configuration Guide WatchGuard Fireware XTM

MULTI WAN TECHNICAL OVERVIEW

Barracuda Link Balancer

Configuring IP Load Sharing in AOS Quick Configuration Guide

WatchGuard SSL Web UI User Guide

Barracuda Link Balancer Administrator s Guide

VPN Solution Guide Peplink Balance Series. Peplink Balance. VPN Solution Guide Copyright 2015 Peplink

Link Load Balancing :50:44 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Branch Office VPN Tunnels and Mobile VPN

Netsweeper Whitepaper

Technical Note. ISP Protection against BlackListing. FORTIMAIL Deployment for Outbound Spam Filtering. Rev 2.2

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Inbound Load Balance. User Manual

Internet Load Balancing Guide. Peplink Balance Series. Peplink Balance. Internet Load Balancing Solution Guide

Source-Connect Network Configuration Last updated May 2009

Firewall Defaults and Some Basic Rules

Multi-Homing Dual WAN Firewall Router

Core Filtering Admin Guide

ERserver. iseries. TCP/IP routing and workload balancing

Unified Threat Management

Komplettschutz für den Mittelstand

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Zscaler Internet Security Frequently Asked Questions

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

WAN Failover Scenarios Using Digi Wireless WAN Routers

What s New in Fireware XTM v11.5.1

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Symantec Hosted Mail Security Getting Started Guide

Security Technology: Firewalls and VPNs

CORE Enterprise on a WAN

How To Set Up A Pploe On A Pc Orca On A Ipad Orca (Networking) On A Macbook Orca 2.5 (Netware) On An Ipad 2.2 (Netrocessor

High Availability Branch Office VPN

Configuring the BIG-IP and Check Point VPN-1 /FireWall-1

Microsoft Exchange 2003

Configuring WAN Failover & Load-Balancing

Appendix C Network Planning for Dual WAN Ports

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Migration Quick Reference Guide for Administrators

Configuring a VPN for Dynamic IP Address Connections

Service Overview & Installation Guide

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Installing Policy Patrol on a separate machine

VPN Configuration Guide LANCOM

Meraki MX50 Hardware Installation Guide

Transcription:

Configuration Example Use Public IP Addresses Behind an XTM Device Example configuration files created with WSM v11.7.2 Revised 3/22/2013 Use Case There are several reasons to use publicly routable IP addresses on a network protected by your XTM device. For example, you might want to avoid the use of NAT to translate a public IP address to a private IP address for publicly accessible servers on your network. You might want to use a service that does not work well with NAT. Or, you might want to use multi-wan on the XTM device to create redundant paths to the public IP addresses of servers on your network. Solution Overview This configuration example includes XTM device configurations for three scenarios that demonstrate different ways that you can configure public subnets on the private network behind the XTM device. These configuration scenarios are covered: Scenario 1: Public subnet behind the XTM device - single WAN, /24 subnet Scenario 2: Public subnet behind the XTM device - single WAN, /24 supernet split into two /25 subnets Scenario 3: Public subnet behind the XTM device with multi-wan In general, these solutions require that you: Add a static route to the Internet router so that it knows how to route traffic to the public IP addresses behind the firewall Configure an optional interface on the XTM device to use a public IP address on the publicly routable subnet you want to use Configure policies and NAT to allow traffic in and out of the public subnet behind the XTM device This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. Example Configuration Files For your reference, we have included example configuration files with this document. The names of the configuration files are: Scenario 1: public_subnet_basic.xml. Scenario 2: public_subnet_supernet.xml. Scenario 3: public_subnet_multi-wan.xml. To examine the configuration details of each example configuration file, open it with Policy Manager.

Scenario 1: Public Subnet on Optional, Single WAN Scenario 1: Public Subnet on Optional, Single WAN This scenario shows how to configure an optional network to use a public subnet IP address of 198.51.100.0/24, and how to configure policies for traffic to and from that subnet. This single-wan configuration has these characteristics: Single external interface Static routing Works with subnets of variable sizes Configuration Summary: Add a static route on the router between the XTM device and the Internet. Assign a public IP address from the optional network public subnet to the XTM device optional interface. Make sure the public subnet is not included in the dynamic NAT configuration, because we do not want to do address translation for outbound traffic from this subnet.. The name of the example configuration file for this scenario is public_subnet_basic.xml. Router configuration In this scenario, the router between the XTM device and the Internet has the IP address 203.0.113.1. Before you can use this XTM device configuration you must add a static route to the router that connects to the external interface. For this example, the router must have a static route to the public subnet 198.51.100.0/24 with the next hop to 203.0.113.2, the IP address of the XTM device external interface. 2 WatchGuard Fireware XTM

Scenario 1: Public Subnet on Optional, Single WAN XTM Device Network Configuration The optional interface is configured with an IP address on the 198.51.100.0/24 public subnet. Configuration Example 3

Scenario 1: Public Subnet on Optional, Single WAN Policy Configuration Policies for inbound traffic You can create policies to handle inbound traffic to the public IP addresses of servers on your internal network. In the example configuration, the policy SMTP-proxy-in handles inbound traffic to a mail server on the optional network. In this case, 198.51.100.25 is the public IP address of a mail server on the optional network. The IP address of the mail server is the destination IP address in this policy. This example is for traffic to an SMTP server. You could also create policies that handle incoming traffic to other servers on this public subnet. It is not necessary to create separate outgoing policies to handle outbound traffic from public servers on this network, because the default Outgoing policy already allows this traffic. We do not want to use NAT for outbound traffic from servers on this optional network. Even though the Outgoing policy has NAT enabled (in the Advanced tab), no NAT occurs for outgoing traffic from this optional network, because the public IP address range of this subnet is not specified in any of the dynamic NAT or 1- to-1 NAT entries. 4 WatchGuard Fireware XTM

Scenario 2: Public Subnet on Optional, Single-WAN, Supernet Scenario 2: Public Subnet on Optional, Single-WAN, Supernet You might not want to allocate an entire /24 subnet to a network behind your XTM device. As an alternative, you can use a larger netmask to divide a subnet into smaller subnets, that you can use on different XTM device interfaces. The original subnet that you divide is a supernet of the smaller subnets. For example, if your ISP has allocated you the public IP address subnet 203.0.113.0/24, you can use the /25 netmask to split this subnet into two smaller subnets. You can then use one of the smaller subnets for your optional network, and the other smaller subnet for your external network. Here is an example of how that division works. The original subnet 203.0.113.0/24 includes IP addresses in the range 203.0.113.0-203.0.113.255 You can use the /25 netmask, to split this /24 subnet into two /25 subnets which each contain half of the addresses in the original subnet. The subnet 203.0.113.0/25 includes IP addresses in the range 203.0.113.0-203.0.113.127 The subnet 203.0.113.128/25 includes IP addresses in the range 203.0.113.128-203.0.113.255 The /24 network is a supernet of the two /25 subnets. You can visualize the supernet / subnet relationship for this example like this: This example splits a /24 subnet into two smaller subnets. You can further reduce the /25 subnet assigned to the external interface if you want to assign more public IP addresses to other interfaces behind the XTM device. Scenario 2 is similar to scenario 1, except that it shows how to use a public subnet of 203.0.113.0/25 for the optional network, and 203.0.113.128/25 for the external network. Configuration Example 5

Scenario 2: Public Subnet on Optional, Single-WAN, Supernet This single-wan configuration has these characteristics: Single external interface Static routing Uses the /25 netmask to break a /24 subnet into two smaller subnets This configuration is the same as Scenario 1, except for the network addresses used on the external and optional networks. Configuration Summary: Add a static route on the router between the XTM device and the Internet. Assign a public IP address from the /25 external network subnet to the external interface Assign a public IP address from the /25 optional network public subnet to the XTM device optional interface. Make sure the public subnet is not included in the dynamic NAT configuration, because we do not want to do address translation for outbound traffic from this subnet. The name of the example configuration file for this scenario is public_subnet_supernet.xml. Router configuration In this scenario, the router between the XTM device and the Internet has the IP address 203.0.113.254. Before you can use this XTM device configuration you must add a static route to the router that connects to the external interface. For this example, the router must have a static route to the public subnet 203.0.113.0/25 with the next hop to 203.0.113.253, the IP address of the XTM device external interface. 6 WatchGuard Fireware XTM

Scenario 2: Public Subnet on Optional, Single-WAN, Supernet XTM Device Network Configuration The external interface is configured with the IP address 203.0.113.253/25 (an IP address from the 203.0.113.128/25 subnet). The optional interface is configured with the IP address 203.0.113.1/25 (an IP address in the 203.0.113.0/25 subnet). Configuration Example 7

Scenario 2: Public Subnet on Optional, Single-WAN, Supernet Policy Configuration You can create policies to handle inbound traffic to the public IP addresses of servers on your internal network. In the example configuration, the policy SMTP-proxy-in handles inbound traffic to a mail server on the optional network. In this case, 203.0.113.25 is the public IP address of a mail server on the optional network. The IP address of the mail server is the destination IP address in this policy. This example is for a mail server. You could also create policies that handle incoming traffic to other servers on this public subnet. It is not necessary to create separate outgoing policies to handle outbound traffic from public servers on this network, because the default Outgoing policy already allows this traffic. We do not want to use NAT for outbound traffic from servers on this optional network. Even though the Outgoing policy has NAT enabled (in the Advanced tab), no NAT occurs for outgoing traffic from this optional network, because the public IP address range of this subnet is not specified in any of the dynamic NAT or 1- to-1 NAT entries. 8 WatchGuard Fireware XTM

Scenario 3 : Public Subnet on Optional, Multi-WAN Scenario 3 : Public Subnet on Optional, Multi-WAN This multi-wan configuration is similar to the single-wan configuration, but supports failover between two external interfaces. This configuration would be appropriate if your XTM device connects to two different ISPs for Internet access. This configuration has these characteristics: Two external interfaces, External-1 and External-2 Static routing Works even with a subnet smaller than /24 Inbound path to the real public IP address is still on a single path Configuration Summary: Add a static route on the router between XTM device External-1 interface and the Internet. Assign a public IP address from the optional network public subnet to the XTM device optional interface. Add a dynamic NAT entry to translate the public subnet to the IP address of External-2, for outbound traffic through the External-2 interface. Configure inbound policies with two entries that go to the same host, one for traffic from each external interface. Disable 1-to-1 NAT in policies that involve the optional network or any host on the optional network that uses the public subnet. To examine the configuration file for this scenario, open public_subnet_multi-wan.xml in Policy Manager. Router Configuration Before you can use this XTM device configuration you must add a static route to the router that connects to the External-1 interface. For this scenario, the router must have a static route to the public subnet 198.51.100.0/24 with the next hop to 203.0.113.2, the IP address of the XTM device external interface. Configuration Example 9

Scenario 3 : Public Subnet on Optional, Multi-WAN You do not need to add a static route to the router that connects to the External-2 interface. Instead, you use a static NAT rule in the inbound policy to route traffic received by the External-2 interface to the public IP address of a host on the Optional network. XTM Device Network Configuration Just as in the single-wan configuration, the optional interface is configured with an IP address on the 198.51.100.0/24 public subnet. In this configuration, notice that there are two external interfaces, External-1 (203.0.113.2/30), and External-2 (192.0.2.2/30). Dynamic NAT Configuration The configuration includes an added dynamic NAT rule for outbound traffic from the optional network to the External-2 interface. 10 WatchGuard Fireware XTM

Scenario 3 : Public Subnet on Optional, Multi-WAN The dynamic NAT rule is 198.51.100.25 - External-2. For outbound traffic from the SMTP server that leaves the External-2 interface, this dynamic NAT rule changes the source IP address from 198.51.100.25 to the IP address of the External-2 interface. If you have other servers on the optional public IP subnet, you would add those entries to the dynamic NAT configuration as well. For example, if this network had a web server with IP address 198.51.100.80, the dynamic NAT rule would be 198.51.100.80 - External-2. Policy Configuration You can create policies to handle inbound traffic to the public IP addresses of servers on your internal network. In the example configuration, the policy SMTP-proxy-in handles inbound traffic to a mail server on the optional network. In this case, 198.51.100.25 is the public IP address of a mail server on the optional network. Because traffic to this mail server can arrive through one of two external interfaces, the destination address in this policy has two entries: The real public IP address of the mail server (198.51.100.25) A static NAT entry that translates the External-2 IP address (192.0.2.2) to the real IP address of the mail server (198.51.100.25) Configuration Example 11

Scenario 3 : Public Subnet on Optional, Multi-WAN Dynamic NAT and static NAT work together in this configuration to handle IP address translation for traffic that goes through the External-2 interface. Dynamic NAT handles address translation for outbound traffic that leaves the External-2 interface. Static NAT handles address translation for inbound traffic to the SMTP server that enters the External-2 interface. DNS Records With this multi-wan configuration there are two public IP addresses that can be used to connect to each server. So you must configure DNS records to handle inbound traffic on either address. For each host, you need a DNS record with the real public IP address of the host (which is routable through the IP address on the External-1 interface), and a second DNS record with the IP address of the External-2 interface. For this example network that has a mail server with the public IP address of 198.51.100.25, the NS records for the mail server could look like this: company.com IN MX 5 mail1.company.com company.com IN MX 10 mail2.company.com mail1 IN A 198.51.100.25 mail2 IN A 192.0.2.2 If this example network had a web server with a public IP address of 198.51.100.80 on the optional network, the NS records for a web server could look like this: www1.company.com. IN A 198.51.100.80 www2.company.com. IN A 192.0.2.2 This configuration example covers multi-wan with static routing. You can also configure a public subnet (/24 or greater) behind the XTM device if you use dynamic routing. 12 WatchGuard Fireware XTM

Outgoing Policies Outgoing Policies These example configuration files do not include specific policies to handle outbound traffic from public servers on this network, because the default Outgoing policy already allows this traffic. If you remove the Outgoing policy from your configuration, or if you want the ability to more easily monitor the log messages related to traffic from these public servers, we recommend that you create a unique policy to handle outgoing traffic from each public server. For example, you could add a proxy policy that handles outgoing traffic from the mail server to any external interface. That policy could look like this: This policy handles outbound SMTP traffic from the server at 198.51.100.25 to any external interface. If you have other servers with public IP addresses on your network, you can create a policy to handle outbound traffic from each server. Configuration Example 13

Conclusion Conclusion In this configuration example, we have shown three ways that you can configure a subnet with public IP addresses on an optional network protected by your XTM device. The three configuration scenarios should give you some ideas about how you can use NAT to route traffic to publicly routable IP addresses on the network protected by your XTM device. If you would rather use private IP addresses for publicly accessible servers on your private network, that is also an option. For more information, see the configuration example Use NAT for Public Access to Servers with Private IP Addresses on the Private Network on the Configuration Examples page. 14 WatchGuard Fireware XTM

About this Configuration Example About this Configuration Example This configuration example is provided as a guide. Additional configuration settings could be necessary, or more appropriate, for your network environment. For complete product documentation, see the Fireware XTM WatchGuard System Manager Help or Fireware XTM Web UI Help on the WatchGuard web site at: http://www.watchguard.com/help/documentation/. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Copyright, Trademark, and Patent Information Copyright 1998-2013 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at: http://www.watchguard.com/help/documentation/. About WatchGuard WatchGuard offers affordable, all-in-one network and content security solutions that provide defense-in-depth and help meet regulatory compliance requirements. The WatchGuard XTM line combines firewall, VPN, GAV, IPS, spam blocking and URL filtering to protect your network from spam, viruses, malware, and intrusions. The new XCS line offers email and web content security combined with data loss prevention. WatchGuard extensible solutions scale to offer rightsized security ranging from small businesses to enterprises with 10, 000+ employees. WatchGuard builds simple, reliable, and robust security appliances featuring fast implementation and comprehensive management and reporting tools. Enterprises throughout the world rely on our signature red boxes to maximize security without sacrificing efficiency and productivity. For more information, please call 206.613.6600 or visit www.watchguard.com. Address 505 Fifth Avenue South Suite 500 Seattle, WA 98104 Support www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575 Sales U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895 Configuration Example 15

About this Configuration Example Configuration Example 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information