0

I can't go trough it. I need access from my internal network to a server with public IP. I have private network with few VLANs, and then I'm using Watchguard m400 firewall. The server, that I want to reach has only public IP. I can ping it from my private network but nothing else. I have oppened required ports (20, 21, 22, 80 in my case), was trying to add SNAT, but I think, that SNAT is working with opposed case (accessing from public network a private server).

Any hints? Best regards

Kai
  • 33
  • 1
  • 10
  • Is this an external server you are trying to connect or is it also connected to your firewall? – Diamond Jan 15 '16 at 15:49
  • it's an external server somewhere in Internet. It's not connected to my firewall – Kai Jan 15 '16 at 16:46
  • nobody have an idea? – Kai Jan 16 '16 at 16:34
  • Why would you need to open port 80 to an external server? This is something should be open already, if you are able to browse websites from your lan. What kind of firewall policy do you have? All outgoing blocked by default? – Diamond Jan 16 '16 at 17:51
  • I had by default outgoing ssh, http, ftp, ftps etc. but it's not working in this case, I have no idea why. I can't reach http on that server, while I can normally browse the internet. However, I can reach http on that server from my home, or from McDonald's for example, so that's why I'm pretty sure the problem is with my watchguard. – Kai Jan 16 '16 at 20:16
  • Then most probably the target ip address or hostname is in your watchguard block list. Check the auto block sites list or any other block list if you have in watchguard. – Diamond Jan 16 '16 at 21:12
  • My Watchguard by default sets your FROM as External TO to your SNAT. Watchguard says to create a LOOPBACK which basically is FROM TRUSTED to your SNAT this is a second policy for internal LAN and VLAN. You can test this by changing your PUBLIC Server FROM External to FROM ANY then you can gain access. Here's the loopback info: http://www.watchguard.com/help/docs/fireware/11/en-US/index.html#en-US/nat/nat_loopback_c.html?Highlight=loopback – Murray W Feb 17 '16 at 20:00

1 Answers1

1

If you have standard outgoing policies configured that allow ssh, http, ftp, ftps etc. from interal LAN, then you don't need to create a new rule for a specific external host ip address. You also need not to create a new SNAT rule for it.

From your description, it seems the target host may got listed in Watchguard's block lists due to it's Default Packet Handling Options.

Check your firewall's Auto-Blocked Sites/Temporary Blocked Sites List and remove it, if it is listed. Alternatively Manage the Blocked Sites List (Blocked Sites).

You can also try to disable packet handling temporarily to see if it works.

Diamond
  • 9,001
  • 3
  • 24
  • 38
  • I didn't thought about blocked site. But I tried to disable for example ping policy, and I couldn't ping anything, thats pretty obvious. Later I plugged to external Internet a Laptop with global IP, and I could ping it from internal network, but couldn't log on by RDP for example, even if in my firewall I have RDP polices ANY-ANY ;/ – Kai Jan 16 '16 at 22:03
  • Pls check all the relevant links I have posted and your firewall configuration. I don't know your firewall's config, so can only guess. Honestly you need to know the firewall, what it does and how it does and should take a little more time to understand its functions. – Diamond Jan 16 '16 at 22:14
  • Ill check those auto-blocking options at Monday. My Firewall looks pretty basic. It has default policies config + few SNAT's for my internal servers. Anyway, thanks for hints :) – Kai Jan 16 '16 at 22:32
  • Nothing is blocked. if i turn off HTTP policy for example I can't use my browser. But even with turnet on HTTP policy, I still can't reach server's HTTP. – Kai Jan 18 '16 at 08:42
  • @Kai, Did you try disabling packet handling? Also just add the ip in a whitelist, just to be sure. If that also doesn't work, then the remaining possibility is that the target server is blocking your IP for some reason. – Diamond Jan 18 '16 at 08:50
  • Yea I added it on my white list, and disabled whole packet handling. I just noticed, that my inner network gateway is x.x.x.158 while the server is with x.x.x.138 x.x.x means same addresses, but that server's netmask is different as mine so do broadcast. I think that might be the problem? servers netmasks starts with host's address .129 and ends with broadcast .143 while mine inner network public IP is .158 – Kai Jan 18 '16 at 09:09
  • didn't help. I noticed now, that I got CONNECTION REFUSED error, so I have link, but something is blocking, and I doubt thats my firewall, because as you said, I can for example ping it – Kai Jan 18 '16 at 11:59
  • May be the remote server is blocking your connection. What kind of a server it is and who controls it? Why are you trying to connect to it? Your informartion are not enough and I would say confusing. – Diamond Jan 18 '16 at 12:23
  • Its a centos server, owner of this server has there FTP and HTTP, which he needs to be accessable from internal network so he can do his lessons with students. I have on my Firewall policies HTTP and FTP with relations Any - to - Any, but it's not working. That server is accessable from external network, but not from internal (this behind firewall) – Kai Jan 18 '16 at 12:31
  • It looks this: INTERNAL NETWORK - WATCHGUARD - WORLD. by WORLD I mean everything with Public IP – Kai Jan 18 '16 at 12:32