HELP - Problem Troubleshooting Connection to Private Web Server from External Network

Hi Everyone.
I'm new to the forum, so I hope I've come to the right place to seek help.
I have a Watchguard XTM 515 in a test lab. It's been reset.
I've setup an inbound http-proxy with SNAT, so I can connect a PC on the external network to an ISS web server on the Optional network. Everything is configured as per the technical material, but I cannot access the web server.
The firebox traffic monitor shows the inbound connection is Allowed. I ran Wireshark packet capture at the PC and webserver and noticed SYN,ACK retransmissions at the web server interface, but after many hours I cannot find the problem. The link contains a schematic of the architecture and screenshot of the configuration.
I have since discovered I cannot browse the Internet from a device on the internal interface, neither can I ping the external interface or Internet router. I can ping the interfaces from inside the firewall.
If anyone can offer help I would be grateful.
https://1drv.ms/b/s!Apq0JsRgrJX6lHUMFNXT2QxrDNyh?e=1kueKG

Comments

  • Have you added the Feature Key to your firewall ?

  • edited April 2020

    I factory reset the Watchguard XTM 5 and tried browsing out to the Internet but nothing. I tried pinging the gateway router nothing, so I tried then tried pining the external interface card, but nothing. I set logging to show ping and Dynamic traffic and nothing.

    Yes, it appears it found the Feature Key itself.

  • Look at the Feature Key in your config.
    Summary should show Model, Serial Number, Software Edition & Signature all filled in. If not, then your firewall does not have an imported feature key.
    . Web UI -> System

    Check the Web UI -> System Status -> ARP table. Look for an entry for 192.168.1.233

    You can turn on Logging (Send a log message) on the default Outgoing policy to see packets allowed by it in Traffic Monitor.

  • Did you modify or delete any of the 3 default Dynamic NAT entries?
    Network -> NAT -> Dynamic NAT

  • It looks like port 0 is only a 10/100 interface. Make sure that this is not an issue for your connection to the Internet router (switch?) port

  • Hi Bruce, thank you for your suggestions. I have taken all of the and created a simpler test where I factory reset the firewall then try to browse a website on the external network from a PC on the trusted network The default outgoing policy should allow this, but its not working. I then try pinging various interfaces, enabling logging and capturing activity in the Watchguard Traffic Monitor to see if I can discover the cause of the problem. Unfortunately, I this problem is beyond my ability to diagnose. The link shows the architecture, tests and results. It would be wonderful if you or any other smart firewall engineer could offer a solution. Thanks in advance.
    https://1drv.ms/b/s!Apq0JsRgrJX6lHbIi3lIBr-C4ej1?e=cZwF1Z

  • Most puzzling.

    You can do packet captures on a firewall interface using TCP DUMP.
    It looks like this feature is not available in the Web UI in V11.9.1.
    You would need to download WSM System Manager and use WSM Firebox System Manager to do the TCP DUMP on a specific interface.

    Look at the TCP DUMP section here:
    Run Diagnostic Tasks to Learn More About Log Messages
    https://www.watchguard.com/help/docs/wsm/XTM_11/en-US/index.html#en-US/fsm/log_message_learn_more_wsm.html?TocPath=Monitor%20Your%20Device|Use%20Firebox%20System%20Manager%20(FSM)|_____4

  • The oldest version of WSM that noticed for downloads is here:
    http://cdn.watchguard.com/SoftwareCenter/Files/WSM/11_12_4/WSM11_12_4.exe
    This version should be able to manage and access V11.9.1

  • Hi Bruce, I will try to do later today. In the meantime I just received Watchguard XTM 330 11.10.10.2 from eBay. I factory reset it. Set up the the external interface to be part of my home network and set the gateway address to my Internet router. I tried browsing Google from a PC on the trusted network and got exactly the same results as for the XTM 5. I'm completely stuck. I have an XTM 2 arriving tomorrow and I bet I will get the same result.

    Although it says services expired, it looks like all the essential services are available and only the advanced services need a new license.

  • edited April 2020

    Make sure that you have a link light on your firewall external interface and on the ISP router port.
    Some firewall models have auto MDIX ports and some don't and thus require the correct Ethernet cable type - straight through or cross-over.

    Normally one uses a cross-over cable from the firewall to an ISP device port.

  • Have you registered your newly acquired firewalls with Watchguard?
    You should do so if the firewall model is not End of Life.

    An XTM 330 goes EoL on 07 Sep 2020
    An XTM 515 goes EoL on 31 Dec 2020
    XTM 21-23 went EoL on 30 Jun 2017
    An XTM 25 & 26 go EoL on 01 Jul 2021
    https://www.watchguard.com/wgrd-resource-center/end-of-life-policy

    This way you can get a good feature key, and sometimes it is a limited time feature key which allows one to upgrade to the newest version of the XTM software for the unit.

  • Hi Bruce, there is a switch between the external interface and my internet router. The link lights are on and I can ping google.com using the Watchguard diagnostics ping tool. So, that interface is operational.

    I discovered something very odd. I enabled interface2, trusted, 10.0.2.1 to see if I could ping Interface1, trusted, 10.0.1.1. What I discovered is Interface1 cannot ping Interface2, but Interface2 can ping Interface1. I also discovered I can browse the Internet from Interface2. The both look to be setup the same. So, on both firewalls after a factory reset you cannot ping or browse the Internet from Interface1, which is set to 10.0.1.1, but you can browse the Web UI.

    The ARP table has entries for all interfaces. I have WSM 11.12.4 running, but couldn't find TCP dump. As Interface1 is the default for managing the Watchguard, is there setting to prevent external connectivity?

  • Tomorrow I will look closely at the two PC 's connected to the interfaces

  • Hi Bruce, problem sorted. When I put a different PC on Interface1 it work. The problem was the adaptor on the PC. I ran the Windows trouble shooter and it corrected a problem that was reported as invalid address. I don't know what that meant, because the PC was receiving its IP address from the dhcp server on the firewall. I look bad at how I approached the testing and assumed the problem was the firewall, as it was an unknown device. The PC's used were new builds and trusted. The problem was only identified after trying to get two PC's to ping each other on the trusted LAN to eliminate elements of the firewall. One PC didn't respond to the ping, but could ping its gateway, the firewall. I test approach was to eliminate all problem at the interfaces first using ping and Wireshark packet capture. I assumed the ping problem was caused by the firewall and not the PC adaptor. Next time I need ensure I the PC adaptors are working correctly. A lesson learned from this exercise.

    Thank you for your contribution, and maybe there s something you can learn from this as well.

Sign In to comment.