WatchGuard, external IP, different port

Question

I have few external IP addresses, but I want to use one, and NAT to it different PC's.

That's how it should look like.

123.123.123.123 that's my IP, and I want to have on it 3 PC's on different ports, for example 3111, 3112, 3113.

I know how to NAT internal ports, but I have no clue, how to set, that I can connect to that IP with RDP on those ports.

123.123.123.123:3111 -> 10.10.10.101
123.123.123.123:3112 -> 10.10.10.102
123.123.123.123:3113 -> 10.10.10.103

Any ideas? I think that might be something with SNAT (but there is no port to set on external IP), or something with policies?

Sorry for that mess in my message, I hope you can understand me anyway.

Best regards

Answer 1

SNAT on WatchGuard is actually split into two parts, to make it simpler to use. However this causes problems with understanding the setup for users, who are used to work with solutions, that handle SNAT in one single step.

The first step are SNAT actions. They ONLY define different possible combinations of external-2-internal IP address translation and the internal port you would want to translate to. This is just a list of possibilities you set up like Aliases. None of them is active, until you use it in a firewall rule.

For RDP connections, you would set up a SNAT actions like these:

Name: Ext_123-RDP_101
SNAT Members: 123.123.123.123 -> 10.10.10.101:3389 

Name: Ext_123-RDP_102
SNAT Members: 123.123.123.123 -> 10.10.10.102:3389 

Name: Ext_123-RDP_103
SNAT Members: 123.123.123.123 -> 10.10.10.103:3389 

So that is the translation part. Next you need to set up firewall rules. Since it is never smart to leave open RDP ports, I would use authenticated users (authenticating them over https://firewall_IP:4100) that belong to a group 'Allow-RDP'.

You will need 3 rules, that will use the SNAT actions you have have already defined. Since there is no standard service for ports 3111-311x, you will create a custom template called SNAT-RDP and add a TCP port range 3111-3113 and than create the 3 new firewall rules based on this template.

Name the new rules something like 'RDP-IN-101', 'RDP-IN-102' and 'RDP-IN-103'

'RDP-IN-101':
In the FROM: field put the authenticated users name (if it is for the access to his own PC) 
       or the 'Allow-RDP' groupname (if it is for the access to a shared computer).
In the TO: field put the Ext_123-RDP_101 SNAT Action

'RDP-IN-102':
In the FROM: field put the authenticated users name (if it is for the access to his own PC) 
       or the 'Allow-RDP' groupname (if it is for the access to a shared computer).
In the TO: field put the Ext_123-RDP_102 SNAT Action

'RDP-IN-103':
In the FROM: field put the authenticated users name (if it is for the access to his own PC) 
       or the 'Allow-RDP' groupname (if it is for the access to a shared computer).
In the TO: field put the Ext_123-RDP_103 SNAT Action

To have some control over the happening, you should also turn on logging for these rules.

But that's it. Upload to the FB and enjoy.

In this case, the SNAT action is not really a simplification. But if you have some more general SNAT e.g. for some server, you would need just one 'reusable' SNAT action for all the rules, that connect from one external IP address to that server. When also port translation joins the game, the SNAT action is not 'reusable', so you can't see the benefit of it.

Answer 2

If I understand you correctly, you need to do the following if you want to reach those internal servers with RDP:

123.123.123.123:3111 -> 10.10.10.101:3389
123.123.123.123:3112 -> 10.10.10.102:3389
123.123.123.123:3113 -> 10.10.10.103:3389

RDP uses port TCP/UDP 3389 and you can achieve this by doing NAT with port forwarding in Watchguard. Read this: https://en.wikipedia.org/wiki/Remote_Desktop_Protocol

See instructions here:

Configure Static NAT

How do I configure port forwarding on a Watchguard XTM 2?