WatchGuard Firebox System 7.0 User Guide
WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide
Chapter 7: Configuring Network Address Translationstatic NAT. Typically, static NAT is used for publicservices that do not require authentication such asWeb sites and email.1-to-1 NATThe Firebox uses private and public IP ranges thatyou specify, rather than the ranges assigned to theFirebox interfaces during configuration.Choosing which type of NAT to perform depends on theunderlying problem being solved, such as those regardingaddress security or preservation of public IP addresses. Formore information on NAT, see the following collection ofFAQs:https://support.watchguard.com/advancedfaqs/nat_main.aspDynamic NATDynamic NAT is the most commonly used form of NAT. Itworks by translating the source IP address of outboundsessions (those originating on the internal side of the Firebox)to the one public IP address of the Firebox. Hosts elsewhereonly see outgoing packets from the Firebox itself.This type of NAT is most commonly used to conserve IPaddresses. It allows multiple computers to access the Internetby sharing one public IP address. Even if the number ofpublic IP addresses is not a concern, dynamic NAT providesextra security for internal hosts that use the Internetby allowing them to use non-routable addresses.The WatchGuard Firebox System implements two forms ofoutgoing dynamic NAT:Simple dynamic NATUsing host aliases or host and network IPaddresses, the Firebox globally applies networkaddress translation to every outgoing packet. Thisis the most commonly used type of NAT.102 WatchGuard Firebox System
Using Simple Dynamic NATService-based dynamic NATEach service is configured individually foroutgoing dynamic NAT.NOTEMachines making incoming requests over a VPN connectionare allowed to access masqueraded hosts by their actualprivate addresses.Using Simple Dynamic NATIn the majority of networks, the preferred security policy isto globally apply network address translation to all outgoingpackets. Simple dynamic NAT provides a quickmethod to set a NAT policy for your entire network. Formore information on this type of NAT, see the followingFAQ:https://support.watchguard.com/advancedfaqs/nat_howdynamicnat.aspEnabling simple dynamic NATThe default configuration of simple dynamic NAT enablesit from all non-routable addresses to the external network.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears, as shown in the followingfigure.2 Select the checkbox marked Enable Dynamic NAT.The default dynamic entries are:• 192.168.0.0/16 - External• 172.16.0.0/12 - External• 10.0.0.0/8 - ExternalUser Guide 103
- Page 73 and 74: Saving a Configuration File3 From t
- Page 75 and 76: Resetting Firebox Passphrasesenter
- Page 77 and 78: Setting the Time Zone2 Select the m
- Page 79 and 80: CHAPTER 5Using PolicyManager toConf
- Page 81 and 82: Setting IP Addresses of Firebox Int
- Page 83 and 84: Setting DHCP or PPPoE Support on th
- Page 85 and 86: Defining External IP Aliases2 Confi
- Page 87 and 88: Entering WINS and DNS Server Addres
- Page 89 and 90: Defining a Firebox as a DHCP Server
- Page 91 and 92: Adding Basic Services to Policy Man
- Page 93 and 94: Configuring Routes3 Click the Net o
- Page 95 and 96: CHAPTER 6Managing andMonitoring the
- Page 97 and 98: Viewing Basic Firebox StatusThe top
- Page 99 and 100: Viewing Basic Firebox Statusbut the
- Page 101 and 102: Viewing Basic Firebox Status• The
- Page 103 and 104: Monitoring Firebox TrafficSetting t
- Page 105 and 106: Performing Basic Tasks with System
- Page 107 and 108: Performing Basic Tasks with System
- Page 109 and 110: Viewing Bandwidth Usage(shown above
- Page 111 and 112: Viewing Details on Firebox Activity
- Page 113 and 114: Viewing Details on Firebox Activity
- Page 115 and 116: Viewing Details on Firebox Activity
- Page 117 and 118: Viewing Details on Firebox Activity
- Page 119 and 120: HostWatchHostWatchHostWatch is a re
- Page 121 and 122: HostWatch3 Enter the Firebox status
- Page 123: CHAPTER 7Configuring NetworkAddress
- Page 127 and 128: Using Simple Dynamic NAT3 Use the T
- Page 129 and 130: Using Service-Based Dynamic NATEnab
- Page 131 and 132: Configuring a Service for Incoming
- Page 133 and 134: Using 1-to-1 NATA one-to-one mappin
- Page 135 and 136: CHAPTER 8Configuring FilteredServic
- Page 137 and 138: Selecting Services for your Securit
- Page 139 and 140: Adding and Configuring Servicesrigh
- Page 141 and 142: Adding and Configuring Services5 (O
- Page 143 and 144: Adding and Configuring Services3 In
- Page 145 and 146: Adding and Configuring Services11 C
- Page 147 and 148: Defining Service PropertiesEnabled
- Page 149 and 150: Defining Service Properties6 Click
- Page 151 and 152: Defining Service Propertiesthe serv
- Page 153 and 154: Service Precedencegroup always have
- Page 155 and 156: Service Precedencether down the pre
- Page 157 and 158: CHAPTER 9Configuring ProxiedService
- Page 159 and 160: Customizing Logging and Notificatio
- Page 161 and 162: Configuring an SMTP Proxy Service3
- Page 163 and 164: Configuring an SMTP Proxy Service2
- Page 165 and 166: Configuring an SMTP Proxy ServiceAd
- Page 167 and 168: Configuring an SMTP Proxy ServiceEn
- Page 169 and 170: Configuring an SMTP Proxy ServiceCo
- Page 171 and 172: Configuring an FTP Proxy Service6 S
- Page 173 and 174: Selecting an HTTP Service4 Select t
Using Simple Dynamic NATService-based dynamic NATEach service is configured individually foroutgoing dynamic NAT.NOTEMachines making incoming requests over a VPN connectionare allowed to access masqueraded hosts by their actualprivate addresses.Using Simple Dynamic NATIn the majority of networks, the preferred security policy isto globally apply network address translation to all outgoingpackets. Simple dynamic NAT provides a quickmethod to set a NAT policy for your entire network. Formore information on this type of NAT, see the followingFAQ:https://support.watchguard.com/advancedfaqs/nat_howdynamicnat.aspEnabling simple dynamic NATThe default configuration of simple dynamic NAT enablesit from all non-routable addresses to the external network.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears, as shown in the followingfigure.2 Select the checkbox marked Enable Dynamic NAT.The default dynamic entries are:• 192.168.0.0/16 - External• 172.16.0.0/12 - External• 10.0.0.0/8 - External<strong>User</strong> <strong>Guide</strong> 103