WatchGuard Firebox System 7.0 User Guide
WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide
Chapter 7: Configuring Network Address TranslationUsing 1-to-1 NAT1-to-1 NAT uses a global NAT policy that rewrites andredirects packets sent to one range of addresses to a completelydifferent range of addresses. This address conversionworks in both directions. You can configure anynumber of 1-to-1 NAT addresses.A common reason to use 1-to-1 NAT is to map public IPaddresses to internal servers without needing to renumberthose servers. 1-to-1 NAT is also used for VPNs in whichthe remote network’s IP addressing scheme conflicts withthe local scheme. By translating the local network to arange that is not in conflict with the other end, both sidescan communicate. For more information on 1-to-1 NAT, seethe following FAQ:https://support.watchguard.com/advancedfaqs/nat_onetoone.aspEach NAT policy contains four configurable pieces of information:• The interface (External, Trusted, Optional, IPSec)• The public IP address• The internal IP address• The number of hosts to remapThe NAT base plus the range defines the NAT region whilethe real base plus the range defines the hidden or forwardedregion.For instance, the following policy:210.199.6.0–192.168.69.0:255 (NAT base to real baserange)means that all traffic addressed to hosts between210.199.6.0 and 210.199.6.255 is forwarded to the correspondingIP address between 192.168.69.0 and192.168.69.255.110 WatchGuard Firebox System
Using 1-to-1 NATA one-to-one mapping exists between each NAT addressand the forwarded (real) IP address: 210.199.6.0 becomes192.168.69.0.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears.2 Click Advanced.The Advanced NAT Settings dialog box appears.3 Click the 1-to-1 NAT Setup tab.4 Select the checkbox marked Enable 1-1 NAT.5 Click Add.The 1-1 Mapping dialog box appears, as shown in the followingfigure.6 Select the appropriate interface (external, trusted,optional, or IPSec).7 Enter the number of hosts to be translated.8 In the NAT base field, enter the base address for theexposed NAT range.This will generally be the public IP address that will appearoutside the Firebox.9 In the Real base field, enter the base address for thereal IP address range. Click OK.This will generally be the private IP address directly assigned tothe server or client.10 Click the Dynamic NAT Exceptions tab.You must make dynamic NAT exceptions for any internal addressbeing used for 1-to-1 NAT; otherwise, the address will betranslated using dynamic NAT instead of 1-to-1 NAT.11 Click Add.The Add Exception dialog box appears.User Guide 111
- Page 81 and 82: Setting IP Addresses of Firebox Int
- Page 83 and 84: Setting DHCP or PPPoE Support on th
- Page 85 and 86: Defining External IP Aliases2 Confi
- Page 87 and 88: Entering WINS and DNS Server Addres
- Page 89 and 90: Defining a Firebox as a DHCP Server
- Page 91 and 92: Adding Basic Services to Policy Man
- Page 93 and 94: Configuring Routes3 Click the Net o
- Page 95 and 96: CHAPTER 6Managing andMonitoring the
- Page 97 and 98: Viewing Basic Firebox StatusThe top
- Page 99 and 100: Viewing Basic Firebox Statusbut the
- Page 101 and 102: Viewing Basic Firebox Status• The
- Page 103 and 104: Monitoring Firebox TrafficSetting t
- Page 105 and 106: Performing Basic Tasks with System
- Page 107 and 108: Performing Basic Tasks with System
- Page 109 and 110: Viewing Bandwidth Usage(shown above
- Page 111 and 112: Viewing Details on Firebox Activity
- Page 113 and 114: Viewing Details on Firebox Activity
- Page 115 and 116: Viewing Details on Firebox Activity
- Page 117 and 118: Viewing Details on Firebox Activity
- Page 119 and 120: HostWatchHostWatchHostWatch is a re
- Page 121 and 122: HostWatch3 Enter the Firebox status
- Page 123 and 124: CHAPTER 7Configuring NetworkAddress
- Page 125 and 126: Using Simple Dynamic NATService-bas
- Page 127 and 128: Using Simple Dynamic NAT3 Use the T
- Page 129 and 130: Using Service-Based Dynamic NATEnab
- Page 131: Configuring a Service for Incoming
- Page 135 and 136: CHAPTER 8Configuring FilteredServic
- Page 137 and 138: Selecting Services for your Securit
- Page 139 and 140: Adding and Configuring Servicesrigh
- Page 141 and 142: Adding and Configuring Services5 (O
- Page 143 and 144: Adding and Configuring Services3 In
- Page 145 and 146: Adding and Configuring Services11 C
- Page 147 and 148: Defining Service PropertiesEnabled
- Page 149 and 150: Defining Service Properties6 Click
- Page 151 and 152: Defining Service Propertiesthe serv
- Page 153 and 154: Service Precedencegroup always have
- Page 155 and 156: Service Precedencether down the pre
- Page 157 and 158: CHAPTER 9Configuring ProxiedService
- Page 159 and 160: Customizing Logging and Notificatio
- Page 161 and 162: Configuring an SMTP Proxy Service3
- Page 163 and 164: Configuring an SMTP Proxy Service2
- Page 165 and 166: Configuring an SMTP Proxy ServiceAd
- Page 167 and 168: Configuring an SMTP Proxy ServiceEn
- Page 169 and 170: Configuring an SMTP Proxy ServiceCo
- Page 171 and 172: Configuring an FTP Proxy Service6 S
- Page 173 and 174: Selecting an HTTP Service4 Select t
- Page 175 and 176: Selecting an HTTP Servicefrom Any t
- Page 177 and 178: Configuring the DNS Proxy ServiceGE
- Page 179 and 180: Configuring the DNS Proxy Service3
- Page 181 and 182: Configuring the DNS Proxy ServiceYo
Using 1-to-1 NATA one-to-one mapping exists between each NAT addressand the forwarded (real) IP address: 210.199.6.0 becomes192.168.69.0.From Policy Manager:1 Select Setup => NAT.The NAT Setup dialog box appears.2 Click Advanced.The Advanced NAT Settings dialog box appears.3 Click the 1-to-1 NAT Setup tab.4 Select the checkbox marked Enable 1-1 NAT.5 Click Add.The 1-1 Mapping dialog box appears, as shown in the followingfigure.6 Select the appropriate interface (external, trusted,optional, or IPSec).7 Enter the number of hosts to be translated.8 In the NAT base field, enter the base address for theexposed NAT range.This will generally be the public IP address that will appearoutside the <strong>Firebox</strong>.9 In the Real base field, enter the base address for thereal IP address range. Click OK.This will generally be the private IP address directly assigned tothe server or client.10 Click the Dynamic NAT Exceptions tab.You must make dynamic NAT exceptions for any internal addressbeing used for 1-to-1 NAT; otherwise, the address will betranslated using dynamic NAT instead of 1-to-1 NAT.11 Click Add.The Add Exception dialog box appears.<strong>User</strong> <strong>Guide</strong> 111