What is dynamic NAT? | WatchGuard Technologies FireboxTM System 4.6

CHAPTER 10 Setting Up Network Address

Translation

Network address translation (NAT) hides internal network addresses from hosts on an external network. WatchGuard supports two types of NAT:

• Outgoing dynamic NAT

Hides network addresses from hosts on another network; works only on outgoing messages.

• Incoming static NAT

Provides port-to-host remapping of incoming IP packets destined for a public address to a single internal address; works only on incoming messages.

For more information on NAT, see the Network Security Handbook.

What is dynamic NAT?

Also known as IP masquerading or port address translation, dynamic NAT hides network addresses from hosts on another network. Hosts elsewhere only see outgoing packets from the Firebox itself. This feature protects the confidentiality and architecture of your network. Another benefit is that it enables you to conserve IP addresses.

WatchGuard implements two forms of outgoing dynamic NAT:

•Simple NAT – Using host aliases or IP host and network IP addresses, the Firebox globally applies network address translation to every outgoing packet.

•Service-based NAT – Configure each service individually for outgoing dynamic NAT.

Machines making incoming requests over a VPN connection are allowed to access masqueraded hosts.

User Guide

63

Image 73

WatchGuard Technologies FireboxTM System 4.6 manual Setting Up Network Address Translation, What is dynamic NAT?

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information Disclaimer WatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of Conformity CE Notice FCC CertificationCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Welcome to WatchGuard Part I IntroductionWatchGuard Firebox System components WatchGuard Control Center WatchGuard FireboxWatchGuard security suite Minimum requirements LiveSecurity ServiceSoftware requirements Web browser requirements CPU Hardware requirements LiveSecurity Service Part II WatchGuard ServicesWatchGuard Optional Features Technical SupportPage Software Update LiveSecurity ServiceLiveSecurity broadcasts Information Alert Editorial Activating the LiveSecurity ServiceSupport Flash Virus Alert Minimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQ Click the LSS/SOHO Known Issues link on the left Known issuesGetting Internet technical support Getting telephone support WatchGuard Interactive Training System Wits Training Online Help WatchGuard users groupInstructor-led courses Searching for topics Starting WatchGuard Online HelpCopying the Help system to additional platforms Online Help system requirements Context-sensitive Help Currently available options WatchGuard OptionsVPN Manager High Availability Mobile User VPN Obtaining WatchGuard optionsSpamScreen Part III Configuring a Security Policy Set up logging and notification Set up network address translation NATConnect with out-of-band management Firebox Basics What is a Firebox? Placing a Firebox within a network Saving a configuration file Opening a configuration fileOpening a configuration from the Firebox Opening a configuration from a local hard disk Saving a configuration to the local hard disk Resetting Firebox passphrasesSaving a configuration to the Firebox Tips for creating secure passphrases Reinitializing a misconfigured Firebox Setting the time zoneSelect Setup =Time Zone Reinitialize the Firebox using the QuickSetup wizard Booting from the system area Starting the Control Center and connecting to a Firebox Using the WatchGuard Control CenterNavigating the WatchGuard Control Center Control Center components Front panel QuickGuideFirebox and VPN tunnel status Remote VPN tunnels IPSecExpanding and collapsing the display Red exclamation point Setting the maximum number of log messages Connecting to a FireboxWorking with the Control Center Traffic Monitor Manipulating the Traffic Monitor Policy ManagerOpening WatchGuard Firebox System tools LogViewer Firebox MonitorsChanging the Policy Manager view Historical Reports HostWatchLiveSecurity Event Processor LiveSecurity Event Processor Running the QuickSetup wizard Configuring a NetworkTrusted External Setting up a drop-in network Setting up a routed network Adding a secondary network Select Network = ConfigurationDefining a network route Select Network = Routes Select Network = Default Gateway Setting the default gatewayDefining a host route Changing an interface IP address Select Network = Configuration. Click the Dhcp Server tab Select Network = Configuration. Click the General tabEntering Wins and DNS server addresses Defining a Firebox as a Dhcp server Removing a Subnet Modifying an existing subnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Select Setup = Default Packet Handling Configuring default packet handlingBlocking Sites and Ports Removing a blocked site Blocking a site permanentlyChanging the auto-block duration Logging and notification for blocked sites Removing a blocked port Blocking a port permanentlyLogging and notification for blocked ports Category list, click Blocked Sites Configuring a service to temporarily block sites Blocking sites temporarily with service settingsViewing the Blocked Sites list Adding an existing service Configuring ServicesClick OK to close the Properties dialog box Ignore Creating a new serviceSecure Port Adding incoming service properties Defining service properties Adding addresses to service properties Adding outgoing service propertiesWorking with wg icons Modifying a service Configuring services for authenticationDeleting a service Under Internal Hosts, click Add Configuring an Smtp proxy service Setting up proxy servicesConfiguring the incoming Smtp proxy Click Yes Adding address patterns Selecting content typesProtecting your mail server against relaying Select headers to allow Configuring the outgoing Smtp proxy Configuring an FTP proxy serviceClick Outgoing Add masquerading options Configuring an Http proxy service Service precedence From Rank Any List Service precedence How WebBlocker works Controlling Web TrafficReverting to old WebBlocker databases Prerequisites to using WebBlocker Configuring the WebBlocker serviceLogging and WebBlocker Activating WebBlocker Scheduling operational and non-operational hours Setting privilegesCreating WebBlocker exceptions Click the WebBlocker Controls tab Debug- Outputs debugging information Manually downloading the WebBlocker database What is dynamic NAT? Setting Up Network Address Translation Select Setup = NAT Using simple dynamic NATEnabling simple dynamic NAT Adding dynamic NAT entries Enabling service-based NAT Using service-based NATConfiguring service-based NAT exceptions Setting static NAT for a service Configuring a service for incoming static NATSelect Network = Configuration. Click the External tab Adding external IP addresses Checkbox Enter the internal IP addressClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging Notification Designating Event Processors for a Firebox WatchGuard logging architectureLiveSecurity Event Processor Select Setup = Logging Editing an Event Processor settingAdding an Event Processor Enabling Syslog logging Reordering Event Processors Removing an Event ProcessorSynchronizing Event Processors For Windows NT Event Processors Installing the Event Processor program Setting up the LiveSecurity Event ProcessorRunning an Event Processor on Windows Running an Event Processor on Windows NT or Windows Interactive mode from a DOS window As a Windows NT or Windows 2000 ServiceViewing the Event Processor Click WG LiveSecurity Event Processor. Click Startup Setting the log encryption key Setting global logging and notification preferencesSetting the interval for log rollover Starting and stopping the Event Processor Scheduling log reports Customizing logging and notification by service or optionControlling notification Category Setting Launch Interval and Repeat Count Setting logging and notification for a service Select Setup = Blocked Sites Setting logging and notification for blocked sites and ports Connect with Out-of-Band Management Connecting a Firebox with OOB managementEnabling the Management Station Configure the dial-up connection Install the modemPreparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOB Select Network = Configuration. Click the OOB tab Configuring the Firebox for OOBConfiguring PPP for connecting to a Firebox Establishing an OOB connection Establishing an OOB connection Aliases and Authentication Part IV Administering a Security PolicyFirebox Activity Monitors Network Activity ReportsPage Using host aliases Creating Aliases Implementing Authentication Modifying a host alias Adding a host aliasRemoving a host alias User authentication types What is user authentication?How user authentication works Configuring Windows NT Server authentication Configuring Firebox authenticationUnder Authentication Enabled Via, click the Firebox option To close the Setup Remote User dialog box, click Close Click the Windows NT Server tab Configuring Radius server authentication Enter the administrator password Configuring CRYPTOCard server authenticationOn the Radius Server Enter or accept the time-out in seconds Configuring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN access Monitoring Firebox Activity Starting Firebox Monitors and connecting to a Firebox ServiceWatch Setting Firebox Monitors view propertiesBandwidth Meter StatusReport Packet counts Network configurationLog and notification hosts Blocked Sites list Logging options Authentication host informationMemory Load average Routes InterfacesInterface the Firebox uses for each destination address Blocked Sites list Authentication listARP table HostWatch display Replaying a log fileSelect File = Connect Select File = Open Controlling the HostWatch display Viewing authenticated usersViewing specific hosts Viewing specific ports Add Modifying view properties HostWatch 102 Reviewing and Working with Log Files Setting LogViewer preferencesViewing files with LogViewer Starting LogViewer and opening a log file Copying and exporting LogViewer data Searching for specific entries Displaying and hiding fields Consolidating logs from multiple locations Working with log files Copying log files Setting log encryption keysForcing the rollover of log files From LiveSecurity Event Processor Working with log files 108 Starting Historical Reports Generating Reports of Network ActivityCreating and editing reports Viewing the reports list Creating a new report Specifying report sectionsEditing an existing report Deleting a report Specifying a report time span Setting report propertiesConsolidating report sections Exporting reports to Html format Exporting reportsExporting a report to WebTrends for Firewalls and VPNs Enter the number of elements to rank in the table Exporting a report to a text file Using report filtersCreating a new filter Editing a filter Scheduling and running reportsDeleting a filter Applying a filter Manually running a report Report sections and consolidated sections Time Summary Proxied Traffic Session Summary Packet FilteredHost Summary Proxied Traffic Proxy Summary Consolidated Sections 118 Branch office virtual private network Part V WatchGuard Virtual Private NetworkingRemote user virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private Networking How does Dvcp work? Using Dvcp to connect to devicesBasic and Enhanced Dvcp Creating a tunnel to a Soho or SOHOtc Select Network = Branch Office VPN = Basic Dvcp Editing a tunnel to a deviceTelecommuter IP Address Soho Private Network Removing a tunnel to a device Branch office VPN with IPSecDefining a Firebox as an Enhanced Dvcp Client Select the tunnel policy. Click Edit Select Network = Branch Office VPN = IPSec Configuring a gatewayAdding a gateway Click Gateways Incoming Settings for Outgoing checkbox Configuring a tunnel with manual securityUsing Encapsulated Security Protocol ESP Removing a gateway Using Authenticated Headers AH Configuring a tunnel with dynamic securityClick Key. Enter a passphrase. Click OK Click the Dynamic Security tab Block Creating an IPSec policyBypass Dst Port field, enter the remote host port Changing IPSec policy order Configuring services for branch office VPN with IPSecSrc Port field, enter the local host port Incoming WatchGuard VPN configuration models Configuring WatchGuard VPNSetting up WatchGuard VPN Allow VPN access to any services Changing remote network entries Enable the Activate WatchGuard VPN checkboxPreventing IP spoofing with WatchGuard VPN Enter the encryption key. Click Make Key Verifying successful WatchGuard VPN configuration Configuring incoming services to allow VPN Remote User Pptp Configuring the Firebox for Remote User VPNMobile User VPN Adding remote access users Configuring shared servers for RuvpnAdding a member to built-in Ruvpn user groups By individual service Configuring services to allow incoming RuvpnUsing the Any service Activating Remote User Pptp Configuring the Firebox for Remote User PptpEntering IP addresses for Remote User sessions Select Network = Remote User. Click the Pptp tab Purchasing a Mobile User VPN license Configuring the Firebox for Mobile User VPNRules for valid Remote User Pptp addresses Entering license keys Preparing Mobile User VPN configuration filesDefining a new mobile user Select Network = Remote User. Click the Mobile User VPN tab Distributing the software and configuration files Saving the configuration to a FireboxModifying an existing Mobile User VPN entry Select Network = Remote User Debugging Mobile User VPN Configuring debugging optionsDebugging Remote User VPN Pptp Preparing the client computers Preparing a Host for Remote User VPN Windows 95/98 platform preparation Remote host operating systemClick the Identification tab Installing Dial-Up Adapter #2 VPN Support Installing Client for Microsoft NetworksWindows NT platform preparation Click Dial Out Only. Click Continue Setting up Ruvpn for WindowsAdding a domain name to a Windows NT workstation Select Computer Browser Installing a VPN adapter on Windows 95/98 Configuring the remote host for Ruvpn with PptpInitial Connection window that appears, click Yes Click Obtain an IP Address Automatically. Click OK Installing a VPN adapter on Windows NT Using Remote User PptpStarting Remote User Pptp Running Remote User Pptp Enter the remote client username and passwordDouble-click the Ruvpn connection Click Connect Configuring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160