Sonicwall Access Rule - Limit Access to Specific IP - firewall

I have a SonicWall TZ200 and used the Wizard to create a port forwarding for PPTP which is working great. Now, I want to limit the EXTERNAL IP addresses that can use this port forwarding rule so that it only allows connections from a couple employees static home IP addresses.
I created an Address Object for the external home IP address. Then I went to Access Rules WAN>LAN. For the PPTP rule I changed Allow Source to the Address Object for the home IP address.
But, I can still access the VPN from a different external IP address so it's obviously not blocking anything else.
What am I missing?

You need to set your NAT policy. The "Home" IP addresses are added at the "Original Destination" part of your policy.

Related

Issue with IP Addresses and Domain Restrictions in IIS

i have windows server 2019 with iis 10 installed, ip and domain restriction enabled ip range 10.0.0.1=>10.0.0.240 - domain name : lo-server.com
the problem that am facing is : when adding a local ip address / Same ip with server / same network / example 10.0.0.66 to deny list it works perfectly it deny the access
but when i add an ip address outside the network / 192.168.20.10 / which is connected to a firewall ( FortiGate ) 10.0.0.200 the restriction doesn't work i need to add the firewall ip to deny it which i don't want to do it because i'll block all the ranges that are connected to the firewall.
how can i deny access to another network without adding the firewall
Microsoft considered the simplest case for you and implemented the so called Proxy mode, which you might try out,
https://learn.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions#configuring-iis-for-proxy-mode
Deep down inside it checks x-forwarded-for header to see whether the incoming HTTP requests are through a proxy (the firewall in your case) and then apply the rules to decide whether to deny any request.
However, a real world proxy can manipulate the incoming requests in too many ways, so the proxy mode might fail you and you will have to switch to something like URL Rewrite module and write a more complicated rule to abort the desired requests.
You can use the IP Address and Domain Restrictions feature page to define and manage rules that allow or deny access to content for a specific IP address, a range of IP addresses, or a domain name or names.
Opens the Add Deny Restriction Rule dialog box from which you can define rules that allow access to content for a specific IP address, a range of IP addresses, or a DNS domain name.
More information you can refer to this link: IP Address and Domain Restrictions.

Accessing IIS website from another device without creating an inbound rule

I have deployed my flask application on IIS using the IP address. I want to access this from another PC in the network, I have read about creating an inbound rule and allowing the access but is there a safer way to do this?
In my opinion, you could use the 80 port which is usually an open port.
if you want to use another port you can set the firewall and use the private only in profile:
after that, you could use iis IP and domain name restriction to restrict the other ip then the remote machine IP.
you can follow the below steps to allow connections from specific IP addresses:
1)Open IIS Manager
2)In IIS Manager, expand SERVERNAME > Sites > click on a required website > double-click IP Address and Domain Restrictions
3)Click Add Allow Entry... (on the right pane) to add an IP address or IP address range that will be allowed to access the website. Click OK.
4)Once allowed IP addresses have been added, click Edit Feature Settings... and select Deny for Access for unspecified clients. Click OK.
Now, only users with the specified IP addresses are able to access the website.

Setting inbound ip address filter for ssh

I'm trying to set an one IP adresss (dynamic) as the source of inbound ssh rules for azure VM. But when its set to "any" works perfectly but given my local dynamic IP doesn't work(connection timed out).
Also tried giving CIDR block for source, but still confused as to why a single IP doesn't work.
Most 'Whats my IP' sites will give you your Public IP address that you can use for you NSG.
http://www.hazelnest.com/IPproject/MyIP/ip.php
But i believe the issue you are having is one i have seen in very large company networks, the IP you get from site is not really the IP for RDP/SSH.
Easiest and guaranteed way is to contact you networking guys to provide you with the information.
Another way is to check the IP you get on the RDP/SSH logs when you connect without restricting NSG. Then use that IP on the NSG, not that depending on the network this might change.
Linux:
Check the auth.log under the \var\log
IMAGE 1
Windows:
In the VM's Event Viewer, navigate to path below and check the event 22, that should have information.
Applications and Services Logs\Microsoft\Windows\TerminalServices-LocalSessionManager
IMAGE 2

How to use iis with friendly name on local network

I make a web site to my local. I set bindings local.com and www.local.com. I add hosts xml to
127.0.0.1 local.com
127.0.0.1 www.local.com
So, I can connet on my pc like
local.com,
www.local.com,
192.168.1.35
But another pc on my network can't conenct with friendly name
www.local.com,
local.com,
But same pc can connet with ip
192.168.1.35
How can that another pc connect with friendly name ?
IP Addresses are the numerical identification for each device on a computer network.
Named Addresses invented, because remembering each device Address's turned to a difficult job.
So someone must know's which names must be converted to which IP Address.
DNS Servers are responsible to do this translation. But you done that locally. Actually you don't have a DNS Server on your local System, So you can't tell to others that "WWW.Something.COM" is my Address.
If you didn't connected to the internet, you must establish a DNS Server or done this task manually in all clients:
https://helpdeskgeek.com/networking/edit-hosts-file/
Running a DNS Server is another task. you can search for DNS Server applications like https://simpledns.com/ or you can setup a DNS Server using Windows Server. for both scenarios you need to tell to your clients to add your DNS Server Address to their network Adapter settings.
or If you are connected to the Internet, you can Use a NoIP to register a free Address:
https://www.noip.com/
you then need to download an application (In Noip.com) to monitor IP changes, it will monitors your IP address and it changes and then tells to NOIP.com to translate your address into your current IP address.
Actually NOIP will registers your address globally around the Internet network and each one who can access to the internet is able to reach to your address.

Allow Mobile internet to ssh in AWS EC2 instance

I've set up security group for more security to allow only known Ip address to access my EC2 instance. So for that, I have added know IP address in the inbound rule to allow ssh access. But it's not allowing ssh connection when trying to connect through mobile internet. because mobile internet IP address continuously changes. so how can I get the public IP address when connecting net through mobile?
Thank you in advance !!
Generally your mobile gives you IP address dynamically and every time you will get a new IP. But all these IPs usually fall within a range. So you can ALLOW a CIDR which contains your IP in the inbound rule. For example your IP is A.B.C.D then you can give a CIDR A.B.C.D/24 which will match all IPs that start with A.B.C.(1-255). But if you really need to get a public IP you will need to talk to your Mobile company

Resources