1-to-1 NAT x1000

[sillyVM]

Can anyone tell me how do I do a 1-to-1 NAT with X1000?
Currently I have my 192.168.1.0/24 class C NAT to external interface with has an range of class C public IP. So when I hit outside, it will show up as my first IP address as in my class C pub IP. Lets say if I want to NAT my host 192.168.1.173 to a specific IP address, how do I do that? Thank you.

 

[sillyVM]

I used this article but it didn't work. It still nat to my firebox IP addres (dynamic nat)

Setting up 1:1 NAT
Now that we know what 1:1 NAT is and what it’s good for, let’s set up a public Web server. Assume that we’ve created a DNS entry that binds

http://www.121nat.com

to the public IP address 207.29.194.204, which we are going to represent as our external IP address for 1:1 NAT. In reality, this Web server is connected to the Optional interface of our Firebox, listening for HTTP requests sent to the private IP address 10.10.10.4.

From the Policy Manager’s Menu Bar, choose Setup, then NAT… Click on the Advanced… button in the NAT Setup window. (If Enable Dynamic NAT is checked, leave this setting alone, since it is the default NAT policy for all hosts behind your firewall.) From the 1-to-1 NAT Setup Tab, select Enable 1-to-1 NAT, then choose Edit… Select External as the interface, then select the number of servers you want to NAT. To keep this example simple, we’ll NAT one server on our trusted network. The server’s private address, 10.10.10.4, is the Real Base. An unused public IP address, 207.29.194.204, is the NAT Base.

Your 1:1 NAT is now established, but you must still create an exception policy to your default Dynamic NAT. If you don't, when the outside world sends packets to 207.29.194.204 (the public-facing 1:1 NAT IP you've just set up), your Firebox will dutifully perform Dynamic NAT (since that’s the default policy), and your server's responses will say they come from your Firebox's IP address. This bad practice can create undesired results. But using the Firebox's Dynamic NAT Exceptions feature, you can allow your server to show its 1:1 NAT IP, instead of the Firebox's external IP. Here's how to do it. From the Dynamic NAT Exceptions tab, choose Add… then add an exception from 10.10.10.4 to external.

Your 1:1 NAT is now configured to map all inbound connect requests to this server. Since 10.10.10.4 is a Web server, you would configure your Firebox to further restrict server access to Web only: for our purposes, we’ll add Filtered-HTTP (80) and HTTPS (443) services. For both services, enable and allow incoming traffic received on the public IP address 207.29.194.204. If your server must communicate with other public servers, you must enable and allow outgoing traffic from this server. Enable logging. Reboot your Firebox and test your configuration.

 

[unclerico]

were you able to get your problem solved?? If not, what version of fireware are you using??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sillyVM]

Thank UncleRico for replying, I couldn't access this website yesterday.
But I am running WFS 7.4

Current UTC time (GMT): Thu Nov 15 17:15:14 2007

+----- Time Statistics (in GMT) ----------------------
| Statistics from Thu Nov 15 17:15:09 2007 to Thu Nov 15 17:15:14 2007
| Up since Tue Nov 13 20:50:09 2007 (1 day, 20:25)
| Last network change Tue Nov 13 20:50:07 2007
+-----------------------------------------------------

WatchGuard, Copyright (C) 1996-2005 WGTI
Firebox Release: ares
Driver version: 7.4.B1849
Daemon version: 7.4.B1849
Sys_B Version: 7.1.B1405
BIOS Version: 3ffa79aaf0e040ee4d58706abee5a76d Sicily

Serial Number:
Product Type: Firebox X1000
Product Options:

 

[unclerico]

You don't by chance have the ability to upgrade to 9.0/9.1 do you?? If so I would definitely upgrade because the newer version works so much better and I can almost guarantee that this issue will be solved by that.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sillyVM]

Okay, will do and test it. Thanks.

 

[sillyVM]

How do I upgrade the firmware version to 9.0/9.1?

 

[sillyVM]

Is Fireware 9.1 better than WFS 7.3? Do we have to purchase it?

 

[unclerico]

yes, Fireware 9.1 is the newest version and you may need to purchase it, it just depends on your service contract.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[sillyVM]

Don't have it, anywhere I can get the latest watchguard WSM software for free?