Manuals / WatchGuard Technologies / Computer Equipment / Network Router

WatchGuard Technologies FireboxTM System 4.6 manual Setting Up Network Address Translation

Models: FireboxTM System 4.6

1 170

Download 170 pages 21.61 Kb

Page 73

CHAPTER 10 Setting Up Network Address

Translation

Network address translation (NAT) hides internal network addresses from hosts on an external network. WatchGuard supports two types of NAT:

• Outgoing dynamic NAT

Hides network addresses from hosts on another network; works only on outgoing messages.

• Incoming static NAT

Provides port-to-host remapping of incoming IP packets destined for a public address to a single internal address; works only on incoming messages.

For more information on NAT, see the Network Security Handbook.

What is dynamic NAT?

Also known as IP masquerading or port address translation, dynamic NAT hides network addresses from hosts on another network. Hosts elsewhere only see outgoing packets from the Firebox itself. This feature protects the confidentiality and architecture of your network. Another benefit is that it enables you to conserve IP addresses.

WatchGuard implements two forms of outgoing dynamic NAT:

•Simple NAT – Using host aliases or IP host and network IP addresses, the Firebox globally applies network address translation to every outgoing packet.

•Service-based NAT – Configure each service individually for outgoing dynamic NAT.

Machines making incoming requests over a VPN connection are allowed to access masqueraded hosts.

User Guide

63

Image 73

WatchGuard Technologies FireboxTM System 4.6 manual Setting Up Network Address Translation, What is dynamic NAT?

Contents

WatchGuard Firebox System User Guide Copyright and Patent Information DisclaimerWatchGuard Firebox System WFS End-User License Agreement Page Watchguard Declaration of ConformityCE Notice FCC CertificationCSA Statement Table of Contents Using the WatchGuard Control Center Setting Up Network Address Translation 149 Welcome to WatchGuard Part I IntroductionWatchGuard Firebox System components WatchGuard Control Center WatchGuard FireboxWatchGuard security suite Minimum requirements LiveSecurity ServiceSoftware requirements Web browser requirementsCPU Hardware requirementsLiveSecurity Service Part II WatchGuard ServicesWatchGuard Optional Features Technical SupportPage Software Update LiveSecurity ServiceLiveSecurity broadcasts Information AlertEditorial Activating the LiveSecurity ServiceSupport Flash Virus AlertMinimize or close your Web browser LiveSecurity broadcasts Technical Support Accessing frequently asked questions FAQClick the LSS/SOHO Known Issues link on the left Known issuesGetting Internet technical support Getting telephone supportWatchGuard Interactive Training System Wits TrainingOnline Help WatchGuard users groupInstructor-led courses Searching for topics Starting WatchGuard Online HelpCopying the Help system to additional platforms Online Help system requirementsContext-sensitive Help Currently available options WatchGuard OptionsVPN Manager High AvailabilityMobile User VPN Obtaining WatchGuard optionsSpamScreen Part III Configuring a Security Policy Set up logging and notification Set up network address translation NATConnect with out-of-band management Firebox Basics What is a Firebox?Placing a Firebox within a network Saving a configuration file Opening a configuration fileOpening a configuration from the Firebox Opening a configuration from a local hard diskSaving a configuration to the local hard disk Resetting Firebox passphrasesSaving a configuration to the Firebox Tips for creating secure passphrasesReinitializing a misconfigured Firebox Setting the time zoneSelect Setup =Time Zone Reinitialize the Firebox using the QuickSetup wizardBooting from the system area Starting the Control Center and connecting to a Firebox Using the WatchGuard Control CenterNavigating the WatchGuard Control Center Control Center componentsFront panel QuickGuideFirebox and VPN tunnel status Remote VPN tunnels IPSecExpanding and collapsing the display Red exclamation pointSetting the maximum number of log messages Connecting to a FireboxWorking with the Control Center Traffic MonitorManipulating the Traffic Monitor Policy ManagerOpening WatchGuard Firebox System tools LogViewer Firebox MonitorsChanging the Policy Manager view Historical Reports HostWatchLiveSecurity Event Processor LiveSecurity Event Processor Running the QuickSetup wizard Configuring a NetworkTrusted ExternalSetting up a drop-in network Setting up a routed network Adding a secondary network Select Network = ConfigurationDefining a network route Select Network = RoutesSelect Network = Default Gateway Setting the default gatewayDefining a host route Changing an interface IP addressSelect Network = Configuration. Click the Dhcp Server tab Select Network = Configuration. Click the General tabEntering Wins and DNS server addresses Defining a Firebox as a Dhcp serverRemoving a Subnet Modifying an existing subnetClick the subnet to remove it. Click Remove Click OK Defining a Firebox as a Dhcp server Select Setup = Default Packet Handling Configuring default packet handlingBlocking Sites and Ports Removing a blocked site Blocking a site permanentlyChanging the auto-block duration Logging and notification for blocked sitesRemoving a blocked port Blocking a port permanentlyLogging and notification for blocked ports Category list, click Blocked SitesConfiguring a service to temporarily block sites Blocking sites temporarily with service settingsViewing the Blocked Sites list Adding an existing service Configuring ServicesClick OK to close the Properties dialog box Ignore Creating a new serviceSecure PortAdding incoming service properties Defining service propertiesAdding addresses to service properties Adding outgoing service propertiesWorking with wg icons Modifying a service Configuring services for authenticationDeleting a service Under Internal Hosts, click AddConfiguring an Smtp proxy service Setting up proxy servicesConfiguring the incoming Smtp proxy Click YesAdding address patterns Selecting content typesProtecting your mail server against relaying Select headers to allowConfiguring the outgoing Smtp proxy Configuring an FTP proxy serviceClick Outgoing Add masquerading optionsConfiguring an Http proxy service Service precedence From Rank Any List Service precedence How WebBlocker works Controlling Web TrafficReverting to old WebBlocker databases Prerequisites to using WebBlocker Configuring the WebBlocker serviceLogging and WebBlocker Activating WebBlockerScheduling operational and non-operational hours Setting privilegesCreating WebBlocker exceptions Click the WebBlocker Controls tabDebug- Outputs debugging information Manually downloading the WebBlocker databaseWhat is dynamic NAT? Setting Up Network Address TranslationSelect Setup = NAT Using simple dynamic NATEnabling simple dynamic NAT Adding dynamic NAT entriesEnabling service-based NAT Using service-based NATConfiguring service-based NAT exceptions Setting static NAT for a service Configuring a service for incoming static NATSelect Network = Configuration. Click the External tab Adding external IP addressesCheckbox Enter the internal IP addressClick OK to close the Add Static NAT dialog box Configuring a service for incoming static NAT Ensure logging with failover logging Setting Up Logging NotificationDesignating Event Processors for a Firebox WatchGuard logging architectureLiveSecurity Event Processor Select Setup = Logging Editing an Event Processor settingAdding an Event Processor Enabling Syslog loggingReordering Event Processors Removing an Event ProcessorSynchronizing Event Processors For Windows NT Event ProcessorsInstalling the Event Processor program Setting up the LiveSecurity Event ProcessorRunning an Event Processor on Windows Running an Event Processor on Windows NT or WindowsInteractive mode from a DOS window As a Windows NT or Windows 2000 ServiceViewing the Event Processor Click WG LiveSecurity Event Processor. Click StartupSetting the log encryption key Setting global logging and notification preferencesSetting the interval for log rollover Starting and stopping the Event ProcessorScheduling log reports Customizing logging and notification by service or optionControlling notification CategorySetting Launch Interval and Repeat Count Setting logging and notification for a serviceSelect Setup = Blocked Sites Setting logging and notification for blocked sites and portsConnect with Out-of-Band Management Connecting a Firebox with OOB managementEnabling the Management Station Configure the dial-up connection Install the modemPreparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOBSelect Network = Configuration. Click the OOB tab Configuring the Firebox for OOBConfiguring PPP for connecting to a Firebox Establishing an OOB connectionEstablishing an OOB connection Aliases and Authentication Part IV Administering a Security PolicyFirebox Activity Monitors Network Activity ReportsPage Using host aliases Creating Aliases Implementing AuthenticationModifying a host alias Adding a host aliasRemoving a host alias User authentication types What is user authentication?How user authentication works Configuring Windows NT Server authentication Configuring Firebox authenticationUnder Authentication Enabled Via, click the Firebox option To close the Setup Remote User dialog box, click CloseClick the Windows NT Server tab Configuring Radius server authenticationEnter the administrator password Configuring CRYPTOCard server authenticationOn the Radius Server Enter or accept the time-out in secondsConfiguring SecurID authentication Example Configuring a service for Remote User VPN Using authentication to define remote user VPN accessMonitoring Firebox Activity Starting Firebox Monitors and connecting to a FireboxServiceWatch Setting Firebox Monitors view propertiesBandwidth Meter StatusReportPacket counts Network configurationLog and notification hosts Blocked Sites listLogging options Authentication host informationMemory Load averageRoutes InterfacesInterface the Firebox uses for each destination address Blocked Sites list Authentication listARP table HostWatch display Replaying a log fileSelect File = Connect Select File = OpenControlling the HostWatch display Viewing authenticated usersViewing specific hosts Viewing specific portsAdd Modifying view propertiesHostWatch 102 Reviewing and Working with Log Files Setting LogViewer preferencesViewing files with LogViewer Starting LogViewer and opening a log fileCopying and exporting LogViewer data Searching for specific entriesDisplaying and hiding fields Consolidating logs from multiple locations Working with log filesCopying log files Setting log encryption keysForcing the rollover of log files From LiveSecurity Event ProcessorWorking with log files 108 Starting Historical Reports Generating Reports of Network ActivityCreating and editing reports Viewing the reports listCreating a new report Specifying report sectionsEditing an existing report Deleting a reportSpecifying a report time span Setting report propertiesConsolidating report sections Exporting reports to Html format Exporting reportsExporting a report to WebTrends for Firewalls and VPNs Enter the number of elements to rank in the tableExporting a report to a text file Using report filtersCreating a new filter Editing a filter Scheduling and running reportsDeleting a filter Applying a filterManually running a report Report sections and consolidated sectionsTime Summary Proxied Traffic Session Summary Packet FilteredHost Summary Proxied Traffic Proxy SummaryConsolidated Sections 118 Branch office virtual private network Part V WatchGuard Virtual Private NetworkingRemote user virtual private network 120 Configuration checklist Configuring Branch Office Virtual Private NetworkingHow does Dvcp work? Using Dvcp to connect to devicesBasic and Enhanced Dvcp Creating a tunnel to a Soho or SOHOtcSelect Network = Branch Office VPN = Basic Dvcp Editing a tunnel to a deviceTelecommuter IP Address Soho Private NetworkRemoving a tunnel to a device Branch office VPN with IPSecDefining a Firebox as an Enhanced Dvcp Client Select the tunnel policy. Click EditSelect Network = Branch Office VPN = IPSec Configuring a gatewayAdding a gateway Click GatewaysIncoming Settings for Outgoing checkbox Configuring a tunnel with manual securityUsing Encapsulated Security Protocol ESP Removing a gatewayUsing Authenticated Headers AH Configuring a tunnel with dynamic securityClick Key. Enter a passphrase. Click OK Click the Dynamic Security tabBlock Creating an IPSec policyBypass Dst Port field, enter the remote host portChanging IPSec policy order Configuring services for branch office VPN with IPSecSrc Port field, enter the local host port IncomingWatchGuard VPN configuration models Configuring WatchGuard VPNSetting up WatchGuard VPN Allow VPN access to any servicesChanging remote network entries Enable the Activate WatchGuard VPN checkboxPreventing IP spoofing with WatchGuard VPN Enter the encryption key. Click Make KeyVerifying successful WatchGuard VPN configuration Configuring incoming services to allow VPNRemote User Pptp Configuring the Firebox for Remote User VPNMobile User VPN Adding remote access users Configuring shared servers for RuvpnAdding a member to built-in Ruvpn user groups By individual service Configuring services to allow incoming RuvpnUsing the Any service Activating Remote User Pptp Configuring the Firebox for Remote User PptpEntering IP addresses for Remote User sessions Select Network = Remote User. Click the Pptp tabPurchasing a Mobile User VPN license Configuring the Firebox for Mobile User VPNRules for valid Remote User Pptp addresses Entering license keys Preparing Mobile User VPN configuration filesDefining a new mobile user Select Network = Remote User. Click the Mobile User VPN tabDistributing the software and configuration files Saving the configuration to a FireboxModifying an existing Mobile User VPN entry Select Network = Remote UserDebugging Mobile User VPN Configuring debugging optionsDebugging Remote User VPN Pptp Preparing the client computers Preparing a Host for Remote User VPNWindows 95/98 platform preparation Remote host operating systemClick the Identification tab Installing Dial-Up Adapter #2 VPN Support Installing Client for Microsoft NetworksWindows NT platform preparation Click Dial Out Only. Click Continue Setting up Ruvpn for WindowsAdding a domain name to a Windows NT workstation Select Computer BrowserInstalling a VPN adapter on Windows 95/98 Configuring the remote host for Ruvpn with PptpInitial Connection window that appears, click Yes Click Obtain an IP Address Automatically. Click OKInstalling a VPN adapter on Windows NT Using Remote User PptpStarting Remote User Pptp Running Remote User Pptp Enter the remote client username and passwordDouble-click the Ruvpn connection Click ConnectConfiguring debugging options 148 Index 150 User Guide 151 152 User Guide 153 154 User Guide 155 156 User Guide 157 158 User Guide 159 160