Configuring a Watchguard Firebox III/700
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Configuring a Watchguard Firebox III/700

  1. #1
    Senior Member Blunted One's Avatar
    Join Date
    Dec 2005
    Posts
    183

    Question Configuring a Watchguard Firebox III/700

    Good day to all and I hope this will end in a good day for me as well.

    I am faced with a dilema that I cannot seem to work through. We currently have a Watchguard Firebox III at my place of work and it has been giving me a lot of trouble trying to configure it correctly for outside users to access data we have on our server.

    Here is my issue....

    I work for a game/design company and we have recently partnered up with two other companies to make an up and coming game. To do this we need to share the data and program we have on one of our servers. According to the Perforce company this is supposed to be something that is fairly easy. But I must say that it is easier said than done. I have all the necessary IPs and have been trying a trial and error method to try and open a hole from our company to theirs. So far I have had no luck in my attempts and now that time is begining to wear thin I am looking for a little assistance. I cannot seem to open our firewall to allow these two companies to connect to the server and share/work on the data for our new game. Most emails I get from these two companies say they are getting a response from the IP (mind you I am trying to use NAT to translate to our internal server IP), but that their connection gets refused at some point before they can access the data/program on our server and it seems to be refused at the firewall. If anyone has any idea on what I may be doing wrong or if you know of someplace with a walkthrough on how to make sure I am doing this correctly I would be extremely greatful. Anyone who might know where I can find my answer or might be able to get help would be very helpful. Thank you to anyone who can shed some light on this issue or help me correct the improper configuration I am using. I just can't for the life of me get these two outside companies through our firewall to gain access to use and share our data. If you need any more information just ask and I will be happy to provide it if you think you have an idea of how to fix this. Thank you.

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    A little more info might help (eventhough I know nothing about Watchguard Firebox III). How are you trying to let them in? Are you trying to configure a VPN or just poking a hole in the firewall (not a good idea by the way). If it's a VPN what clients are you using? What ports are these people trying to come in on?

    Cheers:
    DjM

  3. #3
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Allright, this one should be fairly easy - how are you trying to let the partner companies in? Are you setting up an IPSEC tunnel between you and the others, are you allowing users from the companies to create a PPTP tunnel through, or are you just simply trying to open up specific ports on the firewall?

    The absolute simplest way to do this is to create user accounts for the companies, set them up as PPTP users, and create a passthrough rule something similar to the following: PPTP User A, once authenticated to the Firebox is allowed complete access to the IP address of your file server. On their end, they simply set up a new VPN connection, use the external address of your Firebox and input the username/password combination that you assign to them and they should have access...
    - Maverick

  4. #4
    Senior Member Blunted One's Avatar
    Join Date
    Dec 2005
    Posts
    183
    I have attempted to set up a NAT that is supposed to translate into our internal IP on a specific port on our server. So when they use Perforce to connect to this NAT it should take them to the specific server and specific port. I believe that in my trial and error methods I have mainly been trying to just get a hole through the firewall, but I do agree it is not a good idea and setting up a VPN would be better. If I need to set up a VPN a little help/instruction would do me a lot of good as I am a novice when it comes to firewalls, but I understand them more than the programmers in this office. The port for the Perforce program is 1999 so it shouldn't have any conflicting problems. I am not sure what you mean by the clients I am using. But it is a direct connection from a few computers at these two companies from there Perforce program on their client machines through our firewall and to the 1999 port on our Perforce server. If you need more info just ask and I will do my best to answer them for you.
    It's not a war on drugs it's a war against personal freedoms!

  5. #5
    Senior Member Blunted One's Avatar
    Join Date
    Dec 2005
    Posts
    183
    I just got some information from the boss that he wants these two companies to only be able to access the Perforce port on the server and not to have full access to all our network. Based on what I just got told I would assume we want to just open up a port from their end to ours and not let them do much beyond that. Does anyone have an idea on the best way to set this up? Perhaps I have done something wrong with our NAT or possibly the server to allow this sharing of information to happen only within our Perforce program and data pertaining to it. I am open to try anything as the VPN option is too loose in terms of security. We don't want them to see all our cards just the data that is relevant to this project. Thanks again for any help.
    It's not a war on drugs it's a war against personal freedoms!

  6. #6
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Here's a quick way to create VPN access for your partner companies - I'm hoping that the set up screens on your FBIII are similar to the ones I'm used to.

    From Remote User Setup, PPTP setup tab - you'll have to define what IP addresses VPN clients (users from your partner companies) will be assigned once they have created a tunnel through your Firebox. Once you have defined those addresses, go into your Authentication Servers, Firebox User Tab - add two users, ie CompanyA and CompanyB and their associated passwords. Once that's completed, create a new 'Any' service - Incoming tab rules should be defined as follows - Firebox users CompanyA & CompanyB are allowed to host address XXX.XXX.XXX.XXX (IP address of your Perforce server). Save all those changes to the Firebox.

    Your partner companies simply need to create a new VPN connection on their PCs - it's simple in Windows (Start - Settings - Network Connections - New Connection Wizard). I'm not extremely familiar with *nix based VPN connections, so someone with some experience in that area should be able to help you there. Give the username/password information to your clients, have them setup their connections...
    - Maverick

  7. #7
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Originally posted here by Blunted One
    I just got some information from the boss that he wants these two companies to only be able to access the Perforce port on the server and not to have full access to all our network. Based on what I just got told I would assume we want to just open up a port from their end to ours and not let them do much beyond that. Does anyone have an idea on the best way to set this up? Perhaps I have done something wrong with our NAT or possibly the server to allow this sharing of information to happen only within our Perforce program and data pertaining to it. I am open to try anything as the VPN option is too loose in terms of security. We don't want them to see all our cards just the data that is relevant to this project. Thanks again for any help.

    If you setup your connection like I just posted, you will effectively limit those VPN users to just being able to access the one server you have defined.
    - Maverick

  8. #8
    Senior Member Blunted One's Avatar
    Join Date
    Dec 2005
    Posts
    183
    Thank you for the help and that seems to work except for one thing that I cannot connect to the right server. It seems the NAT I have set up only works on a single IP address, but the other address I set up to do NAT doesn't connect (which is the server where Perforce is). Do I need to change the NAT so I can connect to the Perforce server or does it matter? Thanks so far this has been very helpful.
    It's not a war on drugs it's a war against personal freedoms!

  9. #9
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    Originally posted here by Blunted One
    Thank you for the help and that seems to work except for one thing that I cannot connect to the right server. It seems the NAT I have set up only works on a single IP address, but the other address I set up to do NAT doesn't connect (which is the server where Perforce is). Do I need to change the NAT so I can connect to the Perforce server or does it matter? Thanks so far this has been very helpful.

    You don't have to set anything up as far as NAT - the VPN service that you add on the Firebox will take care of allowing access from the outside, through the VPN tunnel, to your internal server...
    - Maverick

  10. #10
    Senior Member Blunted One's Avatar
    Join Date
    Dec 2005
    Posts
    183
    How can I limit the access of the company A and B when they log into our network over the VPN? I noticed they can access our shared files and folders of anyone who is sharing information in our network. Do I need to change something in the security tab of the user accounts for company A and B? What is the best way to keep their ability to just being able to use Perforce and not manuver around the network at will?
    It's not a war on drugs it's a war against personal freedoms!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides