Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x

Hardware Firewalls

23K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.

Share tech news, updates, or what's on your mind.

Sign up to Post

I had this question after viewing Cisco ASA 5505 and Microsoft DHCP superscope.

Hello everyone, i am new to this forum and i have a question similar to this one.

i have a Microsoft Sever 2008 R2 which is the DNS and DHCP . IP Scope is 10.1.1.0 - 10.1.1.255
its sonnected to a switch and then to an ASA5505 that goes outside to the internet. its all working and fine. but then the users using WIFI and cable to connect and the IP range is all but used up so i want to extend. i created a supercope in microsoft sever 2008 r2 and its range is 10.1.0.0 -10.1.0.255. also on the ASA i created an interface name inside1 and assinged it an ip of 10.1.0.1 /24

how can i get this to work using the ASA?

Thanks
0
Who's Defending Your Organization from Threats?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

We currently have a fairly simple set up, we have ONE public Web Server IP.   Our In/Out path is ISP line to our Cisco ASA/Firewall to our Host Server.    We use Static IPs from the ISP.   Our objective is to achieve highly reliable access to our Web server.  

We are looking at solution such as DNSMadeEasy + DNS Failover.  

Would the following plan work?
1) We'll acquire a new ISP #2 service as backup for our ISP #1 service.
2) We'll acquire a new Switch. On site our location we'll plug the two lines from ISP #1 and ISP #2 into the new Switch.
3) Run a single line from this new switch into our existing CISCO ASA router, and add configuration rules to Cisco for the new source IP addresses to mirror the rules already there for NAT, port forwarding, etc.

Any recommendations would be appreciated!
0
My sonicwall is dropping my connection from a second subnet. I understand why, as it is identifying this 96... ip address as a WAN on the LAN. However I just simply want to allow all traffic from that IP to get through. How would I go about configuring the sonicwall?

I tried disabling IP Spoof Checking from the diag.html page, but it refuses to save and only says "there were no changes made".

01/15/2018 12:07:25.640      Alert      Intrusion Prevention      IP spoof dropped      96.67.165.X, 49873, X1      209.63.225.X, 80, X1      

Thanks!
0
I have a mail server on the inside of my network, I have established all of the ACL's and NAT Statements on the ASA and traffic is flowing correctly inbound. However when the mail server sends traffic outbound ( to external networks) it uses the ASA Primary IP on the outside interface. I would like to force the outbound traffic to external networks to use a particular IP Address (the one that is NAT'ed) for SMTP. As the NAT Statements are already in place and functioning is this a matter of using an extended ACL? If so how should it be constructed? Thank you in advance for the assistance.
0
I have an SBS 2008 Domain.  I have added an additional server.  Internally, I can access the new server via RDC.  When attempting to access the new server from outside the network it will not connect.  In my firewall/router I have redirected terminal services pointing to the public static IP address of the new server to the private IP address of the server and kept the 3389 port (for now).  Will not connect.

What am I missing????
0
Dear Sirs, i have configured an ASA 5510 with 4 interfaces (Outside, DMZ, Inside, Branch_Offices). On my DMZ I have 3 servers: DNS, Mail and Web, but i don't know how to do that (Now i have traffic from outside to a unique server in the DMZ. I need from outside can get into the website and send emails to people into the inside. I have traffic from inside and dmz to outside

Here's the configuration:

: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name MYDOMAIN.COM
enable password kFJzUkFi3silH1Ye encrypted
passwd PVSASRJovmamnVkD encrypted
names
name A.B.c.d BCP description BCP
name A.B.0.0 Linkser description Linkser
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.y.z.131 255.255.255.240
!
interface Ethernet0/1
 nameif Branch_Office
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 10
 ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3.1
 description Inside
 vlan 1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3.2
 description ServerFarm
 vlan 2
 nameif SvrFarm
 security-level 100
 no ip address
!
interface Management0/0
 nameif LinkserNet
 security-level 100
 ip address 172.16.6.2 255.255.255.252
!
!
time-range ilimitado
 periodic daily 0:00 to 23:59
!
banner exec # WARNING!! Unauthorized …
0
Uverse: 195.10.10.105
Sonic Wall TZ300w: 195.10.10.106 (gateway address: 192.168.1.1 for private subnet over x0 lan port)

I want to setup a guest wifi channel on the sonic wall that has no access to the 1.1 network
Then, I want to setup a hidden wifi channel on the sonic wall that has access to the 1.1 network.

Should I setup vlans for this?

vlan 1 - default  - guest wifi
vlan 2 - private subnet assign to 2nd wifi channel.

I would like to set this up all behind the sonic wall, but If I can't have 2 channels, I suppose I can set a guest network up on the ATT router, although I would rather not do this.  

Could someone walk me through the sonic wall setup?
0
In an office I maintain, we have about 10 PC's running Windows 10. After a windows update, the clients are unable to resolve external host names. It appears this issue arose after the Fall Creators Update.

-The workstations are able to ping an external IP but they cannot ping an external host name (www.google.com), even when configured statically to use google DNS.

-Windows seems to leave with with no option to roll back the creators update.

-The warehouse PC is not on the domain, and has no issues even with all of the latest updates.

-After a reboot, the user's can browse the internet and outlook will connect to exchange for about 3 minutes before they go back to having the same issue

On the Client PC I've tried:

Malware scans and Windows Defenders Scans: They show my computer is not infected.
Completing remaining updates > no change
Flushing DNS > no change
IP Release/Renew and netsh int ip reset > no change
Noticed IPv6 was enabled, tried disabling it > no change
Changing to Google's public DNS  > no change
Reinstalling NIC driver > no change

I'm not really sure if this is an issue with the MS update on each machine or something on the domain that is not meshing. I was relieved that I still had the failure with the PC using google for DNS thinking my server is not at fault, however it bugs me that the non domain PC has no issues.

Where can I troubleshoot next?
0
Hi, I used these settings for my Sonicwall router smtp delivery but they dont work for the HP MFP

Mail Server:  outlook.office365.com
admin@domain.com\password

STARTTLS

SMTP PORT 25

AUTHENTICATION METHOD: Yes

SMTP Failure
0
My server load averages are going way high and too many processes are being consumed. Is it a DDoS attack or something wrong with the server?
Screen-Shot-2018-01-02-at-14.54.13.png
0
Hire Technology Freelancers with Gigs
LVL 11
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

I have been trying to work with Sonicwall support on this issue and have made no progress.  We have been using the appliance in the past with split tunnel enabled but, due to security requirements, we can no longer allow split tunnel.  If we turn it off,  remote users can access internal resources we have configured, but cannot access anything on the Internet. It seems that we need to create a resource which is "anything" on the Internet but we don't know how to do that. We don't see any kind of wild card options.  We have not given our users access to "Any" resource.  We need to specifically define the resource they have access to.  We need an "Internet" resource and then we can give them access to that.  Is this possible.  Or, is there some other way to approach this?

Sonicwall support had us upgrade the firmware to 11.40-468 with the 708 hotfixes but that did not create an options for resolving this requirement.
0
Twice in the past month our static IP has been flagged by the CBL as hosting malware. The CBL provides the source and destination IP but we have not been able to capture ANY traffic from our network to the destination IP provided. Here is what the CBL gave us:

Detection Information Summary
Destination IP	146.148.124.166
Destination port	443
Source IP	[xxx.xxx.xxx.xxx]
Source port	16997
C&C name/domain	kemonzura.gdn
Protocol	TCP
Time	Tue Dec 26 18:15:27 2017 UTC

Open in new window


The source IP is set on our WAN interface on our firewall (Sonicwall) and packet capture on the Sonicwall shows no outbound traffic to the destination IP. We port mirrored the switch port where the WAN port is connected on the switch and ran Wireshare against it and still no packets destined for the destination IP. We put a firewall rule in place to drop any packets destined for the destination IP and still we get listed.

In short, we have not been able to capture a single packet egressing our network and destined for the destination IP provided by the CBL. Is it possible to spoof the source IP? If so, how do you re-mediate?

We are thoroughly puzzled by this.

Below are the full results of the CBL lookup:

Results of Lookup
[redacted] is listed

This IP address was detected and listed 56 times in the past 28 days, and 13 times in the past 24 hours. The most recent detection was at Tue Dec 26 18:15:00 2017 UTC +/- 5 minutes

This IP address is infected with, or is NATting for a
0
Hi,

I have need to block specific external IP addresses from being reached. The firewall is a FortiGate 100E appliance.
This can be done because I was shown once recently but have since forgotten how .  
I essentially want to stop all outgoing traffic to reach the IPs - completely block. No DNS names, all IP.

The reason is to block known mailicious IPs and discovered IPs that viruses attempt to send data to while I address the issues as a delayed response tech - at least I can remote in and block the IPs from being reached until I get onsite or perform remote sessions.

Please advise how to do so via the GUI, not just CLI. Or, both ways but definitely via GUI. Editing Host files is not an option.

Thanks in advance for your assistance.
0
On a Cisco ASA, how can send only logging from a single access control list rule to a syslog server.?
Configuration with ASDM please

- Jac
0
I recently replaced an ASA firewall with Fortigate firewall and I found nobody has internet.
I have created exactly same static routes as in ASA and the static route was a private IP.
Then I added a dynamic pool in the policy with the public IP provided by ISP. Then clients started getting internet.
But when I ping from Fortigate still no internet. Due to that I still cant register the device.
0
I am more or less familiar with firewall
Here is where I plan to by one : https://www.redcorp.com/en/Search/Index?q=check+point+appliance+730
I hesitate between model of 839.22 euros and 1.139.49 euros
We want something easy to manage by ourselves (we are I.T. but not expert in firewall)
Can somebody give me some advice ?
0
i Have an unregistered NSA240.

Setting up two LANs both trusted but cannot route between them also on second LAN, management not allowed.

Is this do to the device not being registered?

Cannot remember having this problem before.
0
i want to use dual wan with fortigate 40c. is it capable???
0
4 Total VLANs:
inside
outside
dmz
wifi

wifi VLAN cannot access a website on a server in the dmz (from Chrome: site can't be reached, too long to respond, etc...)
I'm using Wireshark to help troubleshoot this issue and I am by no means a pro with Wireshark. I've noticed multiple TCP retransmissions between the wifi host IP and the website source IP.

If I enable all traffic between wifi and dmz VLAN I still can't reach the website and notice the similar TCP retransmissions between the host and the destination.
If I modify the hosts file on my source machine and add the private IP address to the website with traffic enabled between VLANs the connection works and the site is displayed. No multiple TCP retransmissions are seen via Wireshark.

Can anyone help me figure why my wifi VLAN cannot find the website on the dmz VLAN without the hosts file modification?
0
Free Tool: IP Lookup
LVL 11
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Not my first rodeo, but trying to update the image on a 5508-x. I put it in Rommon mode, set everything and nothing happens. The interesting part is from the ASA I can ping my laptop, from my laptop I can only ping the ASA while it is pinging me. Never seen this type of issue before. Below is some screen output, I honestly don't think it has anything to do with file size, tried 2 TFTP servers.

Success rate is 100 percent (10/10)
rommon 11 > ping 192.168.5.132
Sending 10, 32-byte ICMP Echoes to 192.168.5.132 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)
rommon 12 > tftpdnld
             ADDRESS: 192.168.5.99
             NETMASK: 255.255.255.0
             GATEWAY: 192.168.5.1
              SERVER: 192.168.5.132
               IMAGE: ftd-boot-9.7.1.4.lfbff
             MACADDR: 00:27:e3:c1:96:11
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

TFTP: Received error number 0, <file is too big (107035120 bytes) and will take 73312 blocks to be sent with block size of 1460 bytes>.
TFTP: Operation terminated.
rommon 13 >
0
Hello, I started to configure a PFSense, version 2.4.1. I want to know if it is possible to configure an IPsec multi-WAN failover

Has anyone had any experience configuring this? I already configured the DUAL WAN Failover on the PFSense

I would like that the VPN tunnel can be able to stay up if the WAN fails over.

Thanks in advance
0
Hi,

My ASA has 1 public IP 203.162.5.8 and using for VPN.
Now I want to add 1 more public IP 203.162.5.9 and forward all ports request to a local server 192.168.1.5.
My local LAN: 192.168.1.0/24
My network: Internet -> ASA5525 -> LAN

Please help guide how to to config my ASA.

Thanks a lot.
0
My NAT policies for single ports are working, but when I try to use a port range it is not working:

I am trying to use the following details:

object service Support-Ranges
service tcp destination range 50802 50814

object network Server-SupportRanges
host 192.168.10.220
nat (inside,outside) source static any any destination static interface Server-SupportRanges service Support-Ranges Support-Ranges

Running a packet trace passes the ACL and fails on Phase 7 NAT

Thanks.
0
I have an ASA 5506 with software version 9.5(2)10
I need to allow some new ports through. I have configured the following NAT policy and Access List:

access-list Outside_Access_In extended permit udp any object PAT-RemoteVoice eq 50794
access-group Outside_Access_In in interface outside

object network PAT-RemoteVoice
 nat (inside,Outside) static interface service tcp 50794 50794

I can't seem to connect on port 50794 however.
Any assistance would be appreciated.
0
When I look at Splunk - where I send my Cisco ACS 5.4 syslog output - I see a record of actions I've done on ACS. But I'm not seeing the TACACS records when I log into various network devices. I can see the tacacs records if I go to Monitoring and Reports section of ACS. How can I view in syslog?
0

Hardware Firewalls

23K

Solutions

20K

Contributors

Hardware-based firewalls provide more sophisticated protection for inbound and outbound traffic than the simple Windows software firewall or the basic NAT firewalls found in routers. These devices implement techniques such as stateful packet inspection, deep packet inspection, and content filtering; and may include built-in antivirus and anti-malware protection.