1

It looks, like my problem is common, I tried every single hint I found, but nothing is working.

Here is my problem.

I have an internal network behind Watchguard m400, with few VLAN's on ports.

I need access from my internal network (addresses 10.10.x.x 10.20.x.x 10.35.x.x) to a server with public IP.

I have access to that server from other networks, so it's 100% sure, that my WG is blocking something.

I made few policies similiar to PING (that basic one), that allows, or rather should flow ports 20,21,22,80,3389 from my internal network to external.

I did from 'trusted' and 'optional', and to i used 'any', but no results.

I tried also nat 1-to-1, I use some unused IP form my private network and assign it to server's public IP 217.x.x.x but also no results.

Any ideas?

Best regards.

Kai
  • 33
  • 1
  • 10
  • Hello, thanks for answer. That server has only 1 network card with public IP, nothing else. But I could make in my WG a private IP to it, and then NAT it + in my internal DNS point to that private IP? For example: Set a private IP in my network 10.10.x.x, make a nat 1-to-1 with 10.10.x.x <-> 217.x.x.x in my DNS add a record about 10.10.x.x? I'm not sure if I'm understanding correctly. I guess not. – Kai Jan 11 '16 at 20:37
  • I'm not sure if you read my post, so I will write it again: That server has only 1 network card with public IP 217.x.x.x So I have to in my WG add some private address, for example 10.10.x.x, then make a NAT 1-to-1, 217.x.x.x <-> 10.10.x.x add some polices inbound/outbund (do I have to? 1-to-1 NAT should be enough?), and then add a record in my internal DNS? I don't have access to DNS, which uses that 217.x.x.x server. – Kai Jan 11 '16 at 21:09
  • I did this. Created 1to1 NAT, and set private IP <-> public IP. Plus, on my firewall I have polices with those ports, oppened as from optional/trusted to ANY. but it's not working ;/ – Kai Jan 11 '16 at 22:19
  • I did 1to1 NAT. And btw, is that even possible to make this without setting private IP? I thought the only thing I need is to make a policy where FROM I set my internal network and TO that public IP. I can ping that public IP from my local network but ssh or ftp is not working at all :/ – Kai Jan 11 '16 at 22:28
  • Okay, here's an FTP rule is setup in our WG.... In the `Policy Manager` | `Incoming FTP proxy` | Policy Tab: `From: Any-External` and `To: Incoming FTP-Proxy.1.snat (Static NAT)` with ` --> `` | Properties Tab: `TCP port 21` | Advanced Tab: `1-to-1 NAT is CHECKED, dynamic NAT is checked, and Use Network NAT settings is checked. ` – Pimp Juice IT Jan 11 '16 at 22:33
  • yeap, ICMP is not at the same port, but I added similar policy to default ping just with other ports (TCP 21,22) but not working. – Kai Jan 11 '16 at 22:40
  • The WG machine got taken from me but as I had it, it appears we have a single 1-to-1 NAT from 1 public to 1 private router IP configured in the 1-to-1 NAT @ the network settings level & the Dynamic NAT tab has our private IP ranges in there. In the actual filters or proxies for rules where we need to do bring traffic from a particular public IP address, above is where we configure the SNAT for the ports in those rules.The server itself & any FW at that level would need to allow internal IP address traffic into it as well if the FW routes it over then something else may be blocking; routers too – Pimp Juice IT Jan 11 '16 at 22:48
  • So to recap here: The server would have an internal IP address assigned to the nic, it's firewall would allow the traffic from the FW and from the internal network on the needed ports into it, any routers in between would also allow this traffic, the proxy or filter rules would use the static NAT to bring external traffic to the internal server IP address on a particular port, and internally, you'd connect to the private IP address or DNS name only and not the public IP address on the internal network. That's what I gathered so I hope you find it somewhat helpful if at all. – Pimp Juice IT Jan 11 '16 at 22:53
  • another problem. I can't touch that server. It has only public IP and thats all. – Kai Jan 12 '16 at 07:17
  • If you've tried all you could, it may be time to call WG support and open a ticket for them to advise how you'd best go about getting that completed in your configuration. That's how we handle a lot of that sort of traffic but see if there's somethign about NAT loopback as that may do the trick. I've heard about it but I'm not real familiar with it or the WG configuration but how I explained above is how we've typically handled those scenarios. Look into WG NAT Loopback for your model WG device. Maybe that's the solution? I may have the term confused with something I am familiar with as well. – Pimp Juice IT Jan 12 '16 at 07:22
  • I wil try, but basically "NAT loopback allows a user on the trusted or optional networks to connect to a public server with its public IP address or domain name if the server is on the same physical Firebox or XTM device interface." And that server is in 'internet' and I want to connect with it while I'm behind WG, so it's not at the same physical WG ;/ – Kai Jan 12 '16 at 07:31
  • it didnt help. i made few snats, normal policies etc. and btw, i think that snat allows to connect from public network a private network server, not the other site? cause i need from private network, through firewall and reach public ip server. i can ping it but nothing more. so. private network -> watchguard m400 -> public ip server. – Kai Jan 15 '16 at 11:39

0 Answers0