WatchGuard Firebox System 7.0 User Guide
WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide
Chapter 7: Configuring Network Address TranslationAdding simple dynamic NAT entriesUsing built-in host aliases, you can quickly configure theFirebox to masquerade addresses from your trusted andoptional networks. If trusted hosts are already covered bythe default, non-routable ranges, no additional entries areneeded:• From: Trusted• To: ExternalThe default dynamic entries are listed in the previous section.Larger or more sophisticated networks may require additionalentries in the From or To lists of hosts or host aliases.The Firebox applies dynamic NAT rules in the order inwhich they appear in the Dynamic NAT Entries list. Watch-Guard recommends prioritizing entries based on the volumeof traffic that each represents. From the NAT Setupdialog box:1 Click Add.2 Use the From drop-down list to select the origin of theoutgoing packets.For example, use the trusted host alias to globally enable networkaddress translation from the Trusted network. For a definition ofbuilt-in Firebox aliases, see “Using Aliases” on page 162. Formore information on how to add a user-defined host alias, see“Adding an alias” on page 163.104 WatchGuard Firebox System
Using Simple Dynamic NAT3 Use the To drop-down list to select the destination ofoutgoing packets.4 To add either a host or network IP address, click the ...button. Use the drop-down list to select the addresstype. Enter the IP address or range. Network addressesmust be entered in slash notation.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For information on entering IP addresses, see “EnteringIP addresses” on page 43.5 Click OK.The new entry appears in the Dynamic NAT Entries list.Reordering simple dynamic NAT entriesTo reorder dynamic NAT entries, select the entry and clickeither Up or Down. There is no method to modify adynamic NAT entry. Instead, use the Remove button toremove existing entries and the Add button to add newentries.Specifying simple dynamic NAT exceptionsYou can set up ranges of addresses in dynamic NAT so thateach address in that range is a part of the NAT policy. Byusing the dynamic NAT exceptions option you can excludecertain addresses from that policy.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears.2 Click Advanced.The Advanced NAT Settings dialog box appears.3 Click the Dynamic NAT Exceptions tab.4 Click Add.The Add Exception dialog box appears.5 In the From and To boxes, select Trusted, Optional,dvcp_nets, or dvcp_local_nets.The latter two choices are aliases for VPN Manager and appearif your Firebox is configured as a DVCP client. dvcp_nets refersto networks behind the DVCP client and dvcp_local_nets refers toUser Guide 105
- Page 75 and 76: Resetting Firebox Passphrasesenter
- Page 77 and 78: Setting the Time Zone2 Select the m
- Page 79 and 80: CHAPTER 5Using PolicyManager toConf
- Page 81 and 82: Setting IP Addresses of Firebox Int
- Page 83 and 84: Setting DHCP or PPPoE Support on th
- Page 85 and 86: Defining External IP Aliases2 Confi
- Page 87 and 88: Entering WINS and DNS Server Addres
- Page 89 and 90: Defining a Firebox as a DHCP Server
- Page 91 and 92: Adding Basic Services to Policy Man
- Page 93 and 94: Configuring Routes3 Click the Net o
- Page 95 and 96: CHAPTER 6Managing andMonitoring the
- Page 97 and 98: Viewing Basic Firebox StatusThe top
- Page 99 and 100: Viewing Basic Firebox Statusbut the
- Page 101 and 102: Viewing Basic Firebox Status• The
- Page 103 and 104: Monitoring Firebox TrafficSetting t
- Page 105 and 106: Performing Basic Tasks with System
- Page 107 and 108: Performing Basic Tasks with System
- Page 109 and 110: Viewing Bandwidth Usage(shown above
- Page 111 and 112: Viewing Details on Firebox Activity
- Page 113 and 114: Viewing Details on Firebox Activity
- Page 115 and 116: Viewing Details on Firebox Activity
- Page 117 and 118: Viewing Details on Firebox Activity
- Page 119 and 120: HostWatchHostWatchHostWatch is a re
- Page 121 and 122: HostWatch3 Enter the Firebox status
- Page 123 and 124: CHAPTER 7Configuring NetworkAddress
- Page 125: Using Simple Dynamic NATService-bas
- Page 129 and 130: Using Service-Based Dynamic NATEnab
- Page 131 and 132: Configuring a Service for Incoming
- Page 133 and 134: Using 1-to-1 NATA one-to-one mappin
- Page 135 and 136: CHAPTER 8Configuring FilteredServic
- Page 137 and 138: Selecting Services for your Securit
- Page 139 and 140: Adding and Configuring Servicesrigh
- Page 141 and 142: Adding and Configuring Services5 (O
- Page 143 and 144: Adding and Configuring Services3 In
- Page 145 and 146: Adding and Configuring Services11 C
- Page 147 and 148: Defining Service PropertiesEnabled
- Page 149 and 150: Defining Service Properties6 Click
- Page 151 and 152: Defining Service Propertiesthe serv
- Page 153 and 154: Service Precedencegroup always have
- Page 155 and 156: Service Precedencether down the pre
- Page 157 and 158: CHAPTER 9Configuring ProxiedService
- Page 159 and 160: Customizing Logging and Notificatio
- Page 161 and 162: Configuring an SMTP Proxy Service3
- Page 163 and 164: Configuring an SMTP Proxy Service2
- Page 165 and 166: Configuring an SMTP Proxy ServiceAd
- Page 167 and 168: Configuring an SMTP Proxy ServiceEn
- Page 169 and 170: Configuring an SMTP Proxy ServiceCo
- Page 171 and 172: Configuring an FTP Proxy Service6 S
- Page 173 and 174: Selecting an HTTP Service4 Select t
- Page 175 and 176: Selecting an HTTP Servicefrom Any t
Using Simple Dynamic NAT3 Use the To drop-down list to select the destination ofoutgoing packets.4 To add either a host or network IP address, click the ...button. Use the drop-down list to select the addresstype. Enter the IP address or range. Network addressesmust be entered in slash notation.When typing IP addresses, type the digits and periods insequence. Do not use the TAB or arrow key to jump past theperiods. For information on entering IP addresses, see “EnteringIP addresses” on page 43.5 Click OK.The new entry appears in the Dynamic NAT Entries list.Reordering simple dynamic NAT entriesTo reorder dynamic NAT entries, select the entry and clickeither Up or Down. There is no method to modify adynamic NAT entry. Instead, use the Remove button toremove existing entries and the Add button to add newentries.Specifying simple dynamic NAT exceptionsYou can set up ranges of addresses in dynamic NAT so thateach address in that range is a part of the NAT policy. Byusing the dynamic NAT exceptions option you can excludecertain addresses from that policy.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears.2 Click Advanced.The Advanced NAT Settings dialog box appears.3 Click the Dynamic NAT Exceptions tab.4 Click Add.The Add Exception dialog box appears.5 In the From and To boxes, select Trusted, Optional,dvcp_nets, or dvcp_local_nets.The latter two choices are aliases for VPN Manager and appearif your <strong>Firebox</strong> is configured as a DVCP client. dvcp_nets refersto networks behind the DVCP client and dvcp_local_nets refers to<strong>User</strong> <strong>Guide</strong> 105