we have a new ERP being installed and I have to set up a DMZ for it to sit in. I configured everything I can think of but I cannot get a ping from my test PC to the DMZ machine to work. The dmz machine is able to ping the test machine on my internal network and that is all it can ping inside. it is also able to access the internet fine. I have the dmz interface (ASA) connected to my internal network via an access port and the machine is also connected on the vlan (not L3).
I have added rules for DMZ to access the DNS server and test PC. added a rule to deny all other inbound traffic from DMZ.
NAT statement added for the DMZ interface to outside interface to allow internet access.
I have tried natting the internal network to the DMZ network but that doesnt work.
its odd to me because I am able to ping up just fine (50->100 with the rules, and down 50->0) but I cant access the DMZ from my internal network.
on DMZ ACL I have an any,DMZ any,any permit any rule that i figured sshould allow anything to connect to the DMZ net for testing.
Im working on grabbing a config right now but its huge (previous network guy has put a ton of bloat in it).
Also, ICMP inspect is allowed in the default policy.
Any help is appreciated.
To sum it up, DMZ can access internet and what I want it to access internally, but internally I cannot access the DMZ.
Related
i have problem with access to server with domains.
Test url: testpage.example.com.
Server is in local network with port fowarding (80, 443), configured as web server using caddy server as reverse proxy.
Case 1 (using Asus router):
Connected on local network behind router. Server is in the same network as my computer. Everything works like a charm in and out of my network.
Case 2 (using internet provider router):
Connected on local network behind router. Can't access server with domain. Works with direct IP. Outside network, works as in case 1.
I used same server.
Does anyone know why this problem occured? How can i solve it?
Thanks,
David
Two options I can think of:
You could add a record to whatever DNS server you're using in Case 2.
You could write a short script that runs whenever you change network connections to modify your hosts file accordingly.
This happens when the server you are trying to reach "testpage.example.com" resolves to your router's external IP address. Because your public IP address is the same as server's IP address (even though inside your home network you have different private IP addresses) your requests are lost in the ether.
As a workaround you can resolve the testpage.example.com manually on your local machine.
For Windows c:\windows\system32\etc\hosts
For Linux /etc/hosts
testpage.example.com 192.168.1.102 -> private IP of the machine serving the site.
I have a router os installed on a virtual server, with 3 interfaces:
lan-192.168.1.1/24
wan-192.168.2.1/24
wifi-192.168.3.1/24
I have a PPOE client to connect over WAN to ISP and get static public IP
x.x.x.x
I have a windows server with DNS, HTTP services on LAN interface, and 1 wireless access point on WIFI interface.
I have created rules for block incoming connection from internet, except 80,53,...
I have created dst-nat from my public IP x.x.x.x to local server IP.
Another dst-nat from LAN to server LAN IP address.
Also SRC NAT to masqurade, LAN and WIFI connections to server.
Another SRC-NAT masqurade for access internet.
Also mikrotik DNS service used to get records and catch from my local server DNS service.
All things work good, until, I want create hotspot service on WIFI interface.
dynamic firewall filters and NATs destroy all things work.
Scenario is access WIFI users to internet by authentication and access local server locally and free.
Also internet access for lan users free.
Also public web access to my server from internet.
Thanks in advance!
NOTE: Skip to TLDR if you just want the direct answer.
This configuration has been made far more complicated than necessary. I'm going to write this up from memory because I don't have an unused router handy at the moment, but this should work.
I'm going to make some assumptions here:
You do not want anyone from the WAN or PPPoE to be able to reach your LAN.
You don't want anyone from the WIFI to be able to reach your LAN except for HTTP or DNS.
You FULLY intend to circle back once everthing is working and ENABLE HTTPS on your server. THIS IS IMPORTANT!!!
First, set up everything to work without restriction. No rules except for a single masquerade entry. You want to masquerade all traffic NOT destined for 192.168.0.0/16. This rules is all you will need. the DST-NAT rules are unnecessary unless you want to provide service to traffic on the PPPoE interface.
Next, add the following firewall rules under the FORWARD chain:
ACCEPT all Established and all Related traffic (no other restrictions).
ACCEPT FROM 192.168.3.0/24 TO TCP 80,53,443 destined for your Windows Server IP address.
ACCEPT FROM 192.168.3.0/24 TO ICMP destined your Windows Server IP address.
ACCEPT FROM 192.168.1.0/24 TO !192.168.0.0/16. This allows Internet access for the LAN.
ACCEPT FROM 192.168.3.0/24 TO !192.168.0.0/16. This allows Internet access for the WIFI.
DROP everything else.
Make sure everything still works. These basic rules will give you at least some protection on your LAN from random people connecting to your WIFI. This way, if you ever disable your Hotspot to allow unrestricted access through your Wifi, you're LAN is still protected.
* TLDR *
Now you can set up your hotspot. The most important part is on your Walled Garden IP list tab, under IP -> Hotspot. You must add entries here allowing access to whatever servers you want to function before someone logs on, specifically your server's HTTP, DNS, etc services. The Hotspot will translate these into automatically-created firewall rules for you.
Finally, I would remiss if I didn't tell you that this is not a complete firewall setup, and there's all sorts of stuff that can go wrong here if things are not implemented properly. My email is in my profile here if you are interested in paid assistance.
I would like to create a local wireless without internet.
I would like to have the possibility to connect 50 clients and access to a website using a domain name.
That means, I need a DNS and DHCP.
I sreach on internet an I found a way to achieve that but not totally and i am not sure if it will work and if it is the best way to achieve that.
I can maybe have a mini PC (server) with ad hoc network and have the client to connect on the server but:
Will it be possible on a connection to assign a ip to the client and set a DNS server ip on the client as the same ip of the server.
I found mini PCs but how can I know if the PC will handle a lot of client ? Which network card to choose ?
I think also that a router and configure DHCP on it to distribute the IPs but I would like to have one box ready object as a mini PC.
I need an advice on the best way to go with what i want to achieve and materials i need to buy and good references.
For a linux domain controler you will need to install bind to host your own DNS. It's a little involved to set up, but necessary if your network doesn't have a DNS server. If you're using a windows domain controller you will need a server OS (expensive). If you only have 50 clients the DNS resources needed will be small and you could run bind from any old box, even a Raspberry Pi. You will also need a host machine for the "website" a.k.a. an intranet. This can be the same machine as your DNS server, but can be any computer on the network. When all is done you will have your router configured with the IP of your local DNS server. The DNS server will point your local domain to whatever box hosts the intranet website.
I and unable to RDP Azure VM on my corporate network using "DNS:Port" (like vmname.cloudapp.net:3389). It works fine on my home network, which means, endpoints are set correctly.
However, it was possible to RDP VM using Public IP but not anymore. With public IP, I was able to RDP VM on my corporate network, but not sure this has restricted recently?
Any way of to access a VM using Public IP rather DNS:Port format?
Thanks
It is common for enterprise IT to block outbound ports because some argue this provides better security. I don't think this necessarily makes sense, but here's what you can do to verify. As a best practice, always connect to Windows Azure VMs using DNS names rather than IP addresses because the addresses are subject to change, while DNS names will not.
1 Confirm the port you're trying to connect to. By default, Windows Azure assigns a port in the dynamic range (49152–65535) for Remote Desktop, which is mapped internally to the usual RDP port 3389. You can see which one this is by checking your VM endpoint public port in the Windows Azure portal (Select Virtual Machines > Your VM > Endpoints tab > RemoteDesktop entry). You need to connect using this port after the name (using the Connect button in the portal gives you an RDP shortcut file that does this for you). If my public port is 62472, I put this in the Remote Desktop Connection computer field:
percepten-VM1.cloudapp.net:62472
If you like, you can edit the public port here in the portal using the "Edit the endpoint" option on the RemoteDesktop entry. That way you can make it 3389 if your IT department asks you for a single port number to allow outbound.
2 Test your DNS resolution to your VM using nslookup or ping. If you get "non-existent domain", then your corporate DNS is blocking Windows Azure resolution. This is what you want to see:
>nslookup percepten-vm1.cloudapp.net
Non-authoritative answer:
Name: percepten-vm1.cloudapp.net
Address: 157.56.182.135
3 If you can resolve DNS, then try using an outbound port scan tool to verify port 3389 is allowed out. I found a nice one at portquiz.positon.org. To use, open the site with a port appended in the URL. In this case, open "http://portquiz.positon.org:3389". You should see this on the page:
Outgoing port tester
This server listens on all TCP ports, allowing you to test any
outbound TCP port. You have reached this page on port 3389.
...
4 If you receive "page not available", then the port is blocked. Try contacting IT to ask them to open port 3389 (or the entire dynamic range if you're feeling ambitious). If they want to open it only to specific places on the Internet, provide them this list of all Windows Azure IP address ranges:
Windows Azure Datacenter IP Address Ranges
Hope that helps!
Noah Stahl
Percepten
I published a web application to one of app servers. Now, if I am connected within my company network (no login require), I can access the web site no problem. Now, if I am connected from outside of the network over VPN, I can't access the website (Getting page not found appears). Do I need to configure IIS on the app server for allowing the connection over VPN?
Thanks for your time.
It sounds like you do not have your firewall/router configured correctly to allow traffic from external sources. When your connected via VPN it is like you are connected to the internal network. Without the VPN you need to make sure it is routed correctly and visible through your firewall. Can you ping the IP that you are trying to get to?
Do you get DNS resolution when you connect over the VPN? If you are trying to hit an internal machine name address, you might try changing to the IP address of the machine.