ASA firewall and Nat

Hi to everyone.

I have a firewall asa with the external interface pointing to a router on the subnet 192.168.1.0

And the inside of the 192.168.0.0 subnet interface

I want to know if is required to configure the Nat object between the two interface or is not a prerequisite to have connectivity to the Internet behind the asa in the LAN segment

Thank you all!

Hello

It is not necessary to configure the NAT on the SAA, providing your gateway router knows how to route the packets intended for your home network and routers NAT ACL can be configured to include your home subnet.

If you have a router in bridge base that can not configure static routes or dynamic routing and cannot have its edited NAT policy, then you need to configure NAT on the SAA.

see you soon,

SEB.

Tags: Cisco Security

Similar Questions

  • Remote access ASA, VPN and NAT

    Hello

    I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

    1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
    1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

    There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

    I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

    Here are all the relevant config:

    list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
    Within 1500 MTU
    Outside 1500 MTU
    IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
    IP verify reverse path to the outside interface
    IP audit info alarm drop action
    IP audit attack alarm drop action
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow all outside
    Global interface (2 inside)
    Global 1 interface (outside)
    NAT (inside) 0-list of access vpn
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (outside) 2 192.168.47.0 255.255.255.0 outside
    static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
    static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
    public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
    public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

    I can post more of the configuration if necessary.

    Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

    1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

    So, how I do right NAT VPN traffic so it can access the Internet?

    A few things that needs to be changed:

    (1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

    This ACL:

    list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

    Should be changed to:

    extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

    (2) you don't need statement "overall (inside) 2. Here's what to be configured:

    no nat (outside) 2 192.168.47.0 255.255.255.0 outside

    no global interface (2 inside)

    NAT (outside) 1 192.168.47.0 255.255.255.0

    (3) and finally, you must activate the following allow traffic back on the external interface:

    permit same-security-traffic intra-interface

    And don't forget to clear xlate after the changes described above and connect to your VPN.

    Hope that helps.

  • Diffie-Hellman - ASA firewall groups

    Hi all

    A couple of questions I hope you can help me with that.

    Please can you tell me where I would change the Diffie-Hellman group for phase 1 on an ASA firewall and is - it possible on the ASDM?

    Also, you must enable PFS have to DH on the phase 2?

    Thank you very much

    Alex

    Hello Alex,.

    You can change the Diffie-Hellman group for phase 1 of ASA by configuring the following command:

    crypto ISAKMP policy

    Group

    To configure the same ASDM, go to the

    Configuration > VPN Site to Site > connection profiles > add/edit

    You will find in settings, IPsec, encryption algorithms. Click on 'Manage' icon on the right of "IKE policy". Click OK.

    Click on Add/Edit and there will be an option to change the Diffie-Hellman group.

    And finally, what about the PFS application, you can enable PFS to be DH in phase 2. activation of PFS will force a new Exchange of key DH for phase 2.

    Note: it is not mandatory, its optional. If its configured on one side, then it must be on the remote side as well.

    Kind regards

    Dinesh Moudgil

  • Cisco ASA Site to Site VPN IPSEC and NAT question

    Hi people,

    I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

    ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

    Just an example:

    N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

    The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

    It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

    Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

    Grateful if someone can shed some light on this subject.

    Hello

    OK so went with the old format of NAT configuration

    It seems to me that you could do the following:

    • Configure the ASA1 with static NAT strategy

      • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
    • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
    • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
    • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
      • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
      • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
      • NAT (inside) 0-list of access to the INTERIOR-SHEEP
    • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
      • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
      • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

    I could test this configuration to work tomorrow but I would like to know if it works.

    Please rate if this was helpful

    -Jouni

  • Cisco ASA 5515 two asa firewall ipsec vpn tunnel is not coming

    HelloW everyone.

    I configured ipsec vpn tunnel between Singapore and Malaysia with asa firewall.

    but the vpn does not come to the top. can someone tell me what can be the root cause?

    Here is the configuration of twa asa: (I changed the ip address all the)

    Singapore:

    See the race
    ASA 2.0000 Version 4
    !
    ASA5515-SSG520M hostname
    activate the encrypted password of PVSASRJovmamnVkD
    names of
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    IP 192.168.15.4 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif DMZ
    security-level 50
    IP 192.168.5.3 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif outside
    security-level 0
    IP 160.83.172.8 255.255.255.224
    <--- more="" ---="">
                  
    !
    <--- more="" ---="">
                  
    interface GigabitEthernet0/3
    <--- more="" ---="">
                  
    Shutdown
    <--- more="" ---="">
                  
    No nameif
    <--- more="" ---="">
                  
    no level of security
    <--- more="" ---="">
                  
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    nameif test
    security-level 100
    IP 192.168.168.219 255.255.255.0
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    connection of the banner ^ C please disconnect if you are unauthorized access ^ C
    connection of the banner please disconnect if you are unauthorized access
    boot system Disk0: / asa922-4-smp - k8.bin
    passive FTP mode
    network of the SG object
    <--- more="" ---="">
                  
    192.168.15.0 subnet 255.255.255.0
    network of the MK object
    192.168.6.0 subnet 255.255.255.0
    service of the TCP_5938 object
    Service tcp destination eq 5938
    Team Viewer description
    service tcp_3306 object
    Service tcp destination eq 3306
    service tcp_465 object
    tcp destination eq 465 service
    service tcp_587 object
    Service tcp destination eq 587
    service tcp_995 object
    tcp destination eq 995 service
    service of the TCP_9000 object
    tcp destination eq 9000 service
    network of the Inside_host object
    Home 192.168.15.202
    service tcp_1111 object
    Service tcp destination eq 1111
    service tcp_7878 object
    Service tcp destination eq 7878
    service tcp_5060 object
    SIP, service tcp destination eq
    <--- more="" ---="">
                  
    service tcp_5080 object
    Service tcp destination eq 5080
    network of the NETWORK_OBJ_192.168.15.0_24 object
    192.168.15.0 subnet 255.255.255.0
    inside_access_in list extended access allowed object SG ip everything
    OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
    access extensive list ip 192.168.15.0 outside_cryptomap allow 255.255.255.0 object MK
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer of 30000
    debug logging in buffered memory
    recording of debug trap
    debugging in the history record
    asdm of logging of information
    host test 192.168.168.231 record
    host test 192.168.168.203 record
    Within 1500 MTU
    MTU 1500 DMZ
    Outside 1500 MTU
    test MTU 1500
    management of MTU 1500
    no failover
    <--- more="" ---="">
                  
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 7221.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source SG SG static destination MK MK non-proxy-arp-search to itinerary
    !
    network of the SG object
    NAT dynamic interface (indoor, outdoor)
    network of the Inside_host object
    NAT (inside, outside) interface static 9000 9000 tcp service
    inside_access_in access to the interface inside group
    Access-group OUTSIDE_IN in interface outside
    Route outside 0.0.0.0 0.0.0.0 160.83.172.x 1
    Route inside 10.0.1.0 255.255.255.0 192.168.15.199 1
    Route inside 10.0.2.0 255.255.255.0 192.168.15.199 1
    Route inside 10.0.11.0 255.255.255.0 192.168.15.199 1
    Route inside 10.1.0.0 255.255.0.0 192.168.15.199 1
    Route inside 10.8.0.0 255.255.0.0 192.168.15.199 1
    Route inside 10.104.0.0 255.255.0.0 192.168.15.199 1
    Route inside 192.168.8.0 255.255.255.0 192.168.15.199 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    <--- more="" ---="">
                  
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    the ssh LOCAL console AAA authentication
    Enable http server

    Community trap SNMP-server host test 192.168.168.231 *.
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps syslog
    Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec pmtu aging infinite - the security association
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
    card crypto CRYPTO-map 2 set peer 103.246.3.54
    card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    card crypto CRYPTO-map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
    CRYPTO-card interface card crypto outside
    trustpool crypto ca policy
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400

    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    internal GroupPolicy1 group strategy
    attributes of Group Policy GroupPolicy1
    Ikev1 VPN-tunnel-Protocol
    username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
    username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
    tunnel-group 143.216.30.7 type ipsec-l2l
    tunnel-group 143.216.30.7 General-attributes
    Group Policy - by default-GroupPolicy1
    <--- more="" ---="">
                  
    IPSec-attributes tunnel-group 143.216.30.7
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    Overall description
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    <--- more="" ---="">
                  
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:ccce9a600b491c8db30143590825c01d
    : end

    Malaysia:

    :
    ASA 2.0000 Version 4
    !
    hostname ASA5515-SSG5-MK
    activate the encrypted password of PVSASRJovmamnVkD
    names of
    !
    interface GigabitEthernet0/0
    nameif inside
    security-level 100
    IP 192.168.6.70 255.255.255.0
    !
    interface GigabitEthernet0/1
    nameif DMZ
    security-level 50
    IP 192.168.12.2 255.255.255.0
    !
    interface GigabitEthernet0/2
    nameif outside
    security-level 0
    IP 143.216.30.7 255.255.255.248
    <--- more="" ---="">
                  
    !
    interface GigabitEthernet0/3
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/4
    Shutdown
    No nameif
    no level of security
    no ip address
    !
    interface GigabitEthernet0/5
    nameif test
    security-level 100
    IP 192.168.168.218 255.255.255.0
    !
    interface Management0/0
    management only
    nameif management
    security-level 100
    IP 192.168.1.1 255.255.255.0
    !
    <--- more="" ---="">
                  
    Interface Port - Channel 1
    No nameif
    no level of security
    IP 1.1.1.1 255.255.255.0
    !
    boot system Disk0: / asa922-4-smp - k8.bin
    passive FTP mode
    clock timezone GMT + 8 8
    network of the SG object
    192.168.15.0 subnet 255.255.255.0
    network of the MK object
    192.168.6.0 subnet 255.255.255.0
    service of the TCP_5938 object
    Service tcp destination eq 5938
    Team Viewer description
    service tcp_3306 object
    Service tcp destination eq 3306
    service tcp_465 object
    tcp destination eq 465 service
    service tcp_587 object
    Service tcp destination eq 587
    service tcp_995 object
    tcp destination eq 995 service
    service of the TCP_9000 object
    <--- more="" ---="">
                  
    tcp destination eq 9000 service
    network of the Inside_host object
    Home 192.168.6.23
    service tcp_1111 object
    Service tcp destination eq 1111
    service tcp_7878 object
    Service tcp destination eq 7878
    service tcp_5060 object
    SIP, service tcp destination eq
    service tcp_5080 object
    Service tcp destination eq 5080
    network of the NETWORK_OBJ_192.168.2.0_24 object
    192.168.6.0 subnet 255.255.255.0
    inside_access_in list extended access allowed object SG ip everything
    VPN-INTERESTING-TRAFFIC extended access list permit ip object MK SG
    OUTSIDE_IN list extended access permit tcp any newspaper EQ 9000 Inside_host object
    outside_cryptomap to access extended list ip 192.168.6.0 allow 255.255.255.0 object SG
    pager lines 24
    Enable logging
    timestamp of the record
    exploitation forest-size of the buffer of 30000
    debug logging in buffered memory
    recording of debug trap
    asdm of logging of information
    <--- more="" ---="">
                  
    host test 192.168.168.231 record
    host test 192.168.168.203 record
    Within 1500 MTU
    MTU 1500 DMZ
    Outside 1500 MTU
    test MTU 1500
    management of MTU 1500
    reverse IP check management interface path
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 7221.bin
    don't allow no asdm history
    ARP timeout 14400
    no permit-nonconnected arp
    NAT (inside, outside) static source MK MK static destination SG SG route no-proxy-arp-search
    NAT (inside, outside) static source NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24 static destination SG SG route no-proxy-arp-search
    !
    network of the MK object
    NAT dynamic interface (indoor, outdoor)
    network of the Inside_host object
    NAT (inside, outside) interface static 9000 9000 tcp service
    inside_access_in access to the interface inside group
    Access-group OUTSIDE_IN in interface outside
    Route outside 0.0.0.0 0.0.0.0 143.216.30.x 1
    <--- more="" ---="">
                  
    Route inside 10.2.0.0 255.255.0.0 192.168.6.200 1
    Route inside 10.6.0.0 255.255.0.0 192.168.6.200 1
    Route inside 192.168.254.0 255.255.255.0 192.168.6.200 1
    Timeout xlate 03:00
    Pat-xlate timeout 0:00:30
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    identity of the user by default-domain LOCAL
    AAA authentication http LOCAL console
    the ssh LOCAL console AAA authentication
    Enable http server

    No snmp server location
    No snmp Server contact
    Crypto ipsec transform-set ikev1 VPN-TRANSFORM esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-AES-128-SHA-TRANS-aes - esp esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-TRANS-aes - esp esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
    <--- more="" ---="">
                  
    Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
    Crypto ipsec transform-set ikev1 ESP-DES-SHA-TRANS esp - esp-sha-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transit
    Crypto ipsec transform-set ikev1 ESP-DES-MD5-TRANS esp - esp-md5-hmac
    Crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transit
    Crypto ipsec pmtu aging infinite - the security association
    crypto CRYPTO - map 2 map corresponds to the address outside_cryptomap
    card crypto CRYPTO-map 2 set peer 160.83.172.8
    card crypto CRYPTO-map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
    CRYPTO-card interface card crypto outside
    trustpool crypto ca policy
    Crypto ikev1 allow outside
    IKEv1 crypto policy 10
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    SSH timeout 60
    SSH group dh-Group1-sha1 key exchange
    Console timeout 0
    management of 192.168.1.2 - dhcpd address 192.168.1.254
    enable dhcpd management
    !
    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
    attributes of Group Policy DfltGrpPolicy
    Ikev1 VPN-tunnel-Protocol l2tp ipsec without ssl-client
    internal GroupPolicy1 group strategy
    attributes of Group Policy GroupPolicy1
    Ikev1 VPN-tunnel-Protocol
    username, password admin eY/fQXw7Ure8Qrz7 encrypted privilege 15
    username gmsadmin password HS/VyK0jtJ/PANQT encrypted privilege 15
    <--- more="" ---="">
                  
    tunnel-group MK SG type ipsec-l2l
    IPSec-attributes tunnel-group MK-to-SG
    IKEv1 pre-shared-key *.
    tunnel-group 160.83.172.8 type ipsec-l2l
    tunnel-group 160.83.172.8 General-attributes
    Group Policy - by default-GroupPolicy1
    IPSec-attributes tunnel-group 160.83.172.8
    IKEv1 pre-shared-key *.
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    maximum message length automatic of customer
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    <--- more="" ---="">
                  
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    Review the ip options
    !
    global service-policy global_policy
    context of prompt hostname
    no remote anonymous reporting call
    Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
    : end

    Good news, that VPN has been implemented!

    According to the ping problem, my suggestion is to check, if some type of firewall based on host computers on both sides block ICMP requests.

    Anyway, you can still use the capture of packets on the inside of the interfaces of the two ASAs, to check if the ICMP traffic is to reach the ASA.

    In addition, you can try to enable ICMP inspection:

    Policy-map global_policy
    class inspection_default

    inspect the icmp

    inspect the icmp error

  • Site to Site VPN between Cisco ASA 5505 and Sonicwall TZ170

    I'm trying to implement a VPN site-to site between our data center and office.  The data center has a Cisco ASA 5505 and the Office has a Sonicwall TZ170.  I managed to configure the two so that the vpn connects.  Each of the firewall I ping the IP Address of the internet firewall on the other side and a desktop computer I can ping the IP Address of the firewall internal datacenter but I can't carry traffic between private subnets datacenter and desktop.  Can anyone help?

    The config below has had IPs/passwords has changed.

    External Datacenter: 1.1.1.4

    External office: 1.1.1.1

    Internal data center: 10.5.0.1/24

    Internal office: 10.10.0.1/24

    : Saved
    :
    ASA Version 8.2 (1)
    !
    hostname datacenterfirewall
    mydomain.tld domain name
    activate the password encrypted
    passwd encrypted
    names of
    name 10.10.0.0 OfficeNetwork
    10.5.0.0 DatacenterNetwork name
    !
    interface Vlan1
    nameif inside
    security-level 100
    10.5.0.1 IP address 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    1.1.1.4 IP address 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passive FTP mode
    clock timezone IS - 5
    clock to summer time EDT recurring
    DNS server-group DefaultDNS
    buydomains.com domain name
    permit same-security-traffic inter-interface
    permit same-security-traffic intra-interface
    inside_access_in list extended access permit icmp any one
    inside_access_in list extended access permitted tcp a whole
    inside_access_in list extended access udp allowed a whole
    inside_access_in of access allowed any ip an extended list
    outside_access_in list extended access permit icmp any one
    outside_access_in list extended access udp allowed any any eq isakmp
    IP DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp DatacenterNetwork 255.255.255.0 OfficeNetwork 255.255.255.0
    IP OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0 allow Access-list extended pixtosw
    pixtosw list extended access allow icmp OfficeNetwork 255.255.255.0 DatacenterNetwork 255.255.255.0
    outside_cryptomap_66.1 list of allowed ip extended access all OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 ip OfficeNetwork 255.255.255.0 allowed extended access list all
    outside_cryptomap_66.1 list extended access permit icmp any OfficeNetwork 255.255.255.0
    outside_cryptomap_66.1 list extended access allowed icmp OfficeNetwork 255.255.255.0 everything
    pager lines 24
    Enable logging
    asdm of logging of information
    Within 1500 MTU
    Outside 1500 MTU
    IP verify reverse path to the outside interface
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm - 623.bin
    don't allow no asdm history
    ARP timeout 14400
    NAT-control
    Global 1 interface (outside)
    NAT (inside) 1 0.0.0.0 0.0.0.0
    inside_access_in access to the interface inside group
    Access-group outside_access_in in interface outside
    Route inside 0.0.0.0 0.0.0.0 1.1.1.1 1
    Route OfficeNetwork 255.255.255.0 outside 1.1.1.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-registration DfltAccessPolicy
    Enable http server
    http 10.5.0.0 255.255.255.0 inside
    No snmp server location
    No snmp Server contact
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set esp-aes-256 walthamoffice, esp-sha-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto dynamic-map ciscopix 1 corresponds to the address outside_cryptomap_66.1
    Crypto dynamic-map ciscopix 1 transform-set walthamoffice
    Crypto dynamic-map ciscopix 1 the value reverse-road
    map dynmaptosw 66-isakmp ipsec crypto dynamic ciscopix
    dynmaptosw interface card crypto outside
    crypto isakmp identity address
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    crypto ISAKMP policy 13
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    lifetime 28800
    crypto ISAKMP policy 30
    preshared authentication
    aes-256 encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.5.0.0 255.255.255.0 inside
    Telnet timeout 5
    SSH 10.5.0.0 255.255.255.0 inside
    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd address 10.5.0.2 - 10.5.0.254 inside
    dhcpd allow inside
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    NTP server 66.250.45.2 source outdoors
    NTP server 72.18.205.157 source outdoors
    NTP server 208.53.158.34 source outdoors
    WebVPN
    attributes of Group Policy DfltGrpPolicy
    VPN-idle-timeout no
    username admin password encrypted
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key *.
    !
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    !
    context of prompt hostname
    Cryptochecksum:7f319172e5de9c0e550804a263f8e49e
    : end

    Mattew, obvious lack of education is the rule exempt from nat for your tunnel, your access list pixtosw is similar on this example, I assume that you have gone through this link, if it does not see the configs on both sides.

    Add the statement of rule sheep in asa and try again.

    NAT (inside) 0-list of access pixtosw

    http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

    Concerning

  • ASA firewall identity

    Hello

    I have setup a firewall of identity on an ASA version 5.6 on a DMZ interface.

    I installed the ADAgent on a Win2008 domain member and configured as follows:

    RADIUS protocol AAA-server ADAGENT_SERVER

    mode-agent-ad

    key 172.17.v.x AAA-server host ADAGENT_SERVER (VPN) *.

    I have configured the LDAP connection to the following domain controller:

    AAA-server DOMAIN_SERVER protocol ldap

    AAA-server DOMAIN_SERVER (VPN) host 172.17.v.z

    LDAP-base-dn DC = YYY, DC = local

    LDAP-scope subtree

    LDAP-login-password *.

    LDAP-connection-dn Lucas

    microsoft server type

    The configuration of the identity is:

    field of the identity of the user YYY aaa-Server DOMAIN_SERVER

    identity of the user by default-domain YYY

    netbios-response-fail action, remove-user-ip user identity

    user logout-probe netbios local system identity

    identity of the user-agent ad server aaa-ADAGENT_SERVER

    allow the user not found-identity of the user

    122 extended access-list allow the user ip YYY\ashdew a whole

    where ashdew is a domain user and ACL 122 (as one line) is applied on the interface of the dmz and NAT is configured correctly.

    The ADagent has been properly tested and ASA may join it.

    The ASA can connect to the DC AD controller and database user query.

    I placed a portable ip 172.17.h.x on the DMZ and can test the DMZ interface.

    The portable computer cannot authenticate to the domain and the asa does not seem to recover the identity of the user

    Do I need to add additional rules in the access list 122 to allow DC traffic?

    Can I record on the Agent AD if it can recover the user ip mapping?

    Thank you

    Ashley

    Hi Ashley,

    It must ensure that the domain controller is configured correctly, please follow the instructions here:

    http://www.Cisco.com/en/us/docs/security/IBF/setup_guide/ibf10_install.html#wp1058066 (Configuration AD Agent to get information from AD domain controllers)

    I suggest first check connection events are generated in the security of the domain controller event log. In 2008 of Windows, you will see event ID 4768. If they are not, you will need to modify the audit policy, as described in the link above.

  • ASA 5520 and MPF

    Hi all. In our company we have recently upgraded our PIX 515 firewall to ASA 5520, and we started to live a thing strange event. On one of the sites we host, I saw a lot of outdated SSM messages popping up and I think that they are the source of the problem when they surf the site (mainly surfing works fine, but sometimes people cannot content etc.).

    I found the Cisco solution for this problem by using the MPF, but one thing confuses me. If I ask a MPF allowing adults MSS on the external interface of the ASA does this political conflict with the comprehensive policy that is on the SAA by default or can they both at the same time?

    Thanks in advance for any help.

    You can have a single policy per interface and another - global, that by default applies to default-inspection-traffic.

    See http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html for more details.

  • ASA 1000V and ASA 5500

    I hope someone can help me to answer this question:

    Currently, we have redundant FWSM and consider a migration of standalone ASA 5500 series firewalls. However, we have a complete VMWare environment and look at the Nexus 1000V. I understand the Nexus 1000V and ESR architecture and implementation, and I don't understand that the ASA 1000V is designed for cloud environments. But I have a question about the ASA 1000V.

    Is it possible that a firewall series ASA 5500 be replaced by ASA 1000V? Basically, can an ASA 1000V to be a single firewall solution, or are that ASA 5500 is always necessary?

    Is there a datasheet anywhere that compares the ASA 1000V and ASA 5500 series?

    Thanks for your help.

    -Joe

    Depending on what you are using the ASA5500 series for now. If you use the ASA5500 for the remote access vpn and AnyConnect VPN, he will not rely on the first version of the ASA1000V yet.

    Here's the Q & A on ASA1000V which includes more information:

    http://www.Cisco.com/en/us/partner/prod/collateral/vpndevc/ps6032/ps6094/ps12233/qa_c67-688050.html

    Hope that answers your question.

  • Multiple VPN groups on the ASA firewall

    I have a remote VPN configured in my ASA firewall with a group of users configured on the external ACS VPN. The group called VPNASA to authenticate via the ACS server and the server ip pool is on the firewall of the SAA. Now, my boss asked me to set up a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How to configure the firewall for the ASA to accept both the Group and authenticate on the same ACS server? I've never done this before so I need help.

    Thank you very much!

    Hello

    all you need to do is create another group strategy and attach it to a group of tunnel: -.

    internal vpnsales group policy

    attributes of the strategy of group vpnsales

    banner - VPN access for the sales team

    value x.x.x.x DNS server

    split tunnel political tunnelspecified

    Split-tunnel-network-list split-sales value

    address-pools sales-pool

    value by default-domain mydomain.com

    type tunnel-group vpnsales remote access

    tunnel-group vpnsales General-attributes

    authentication-server-group vpnsales

    Group Policy - by default-vpnsales

    vpnsales ipsec tunnel - group capital

    pre-share-key @.

    you will also create a map of the attribute named vpnsales for acs auth.

    Thank you

    Manish

  • Hub topology and talk: can I traffic Internet road to PC at a radius of the site through the tunnel and NAT outside in the world on the 5520 hub?

    I don't know if it can be made to work or not, or if it's a mutually excluded NAT configuration that is not possible, but I have a 5520 ASA to my site central office with a fiber of 20Mbps Internet streams and two remote offices with ASA 5505 devices connected via DSL or cable modem and have finally got from Site to Site "spoke" VPN upward tunnels and run with the ability to route traffic to through a 'hairpin turn' speak-to-Spoke on the Hub Site 5520.

    I have desktop PC at each remote site speaks A & B that need to communicate directly with them to support a small group of work-style of the software point of sale that is actually hosted on a remote site A PC.

    PC on two remote sites must also be able to communicate with a credit card processing by the public Internet service, and I wish have the ASA 5505 units in each block of remote office as all traffic directly NAT'ed from each respective out on the local LAN PC straight Internet above each site cable modem or DSL modem. I want to force these PCs need to NAT their Internet-destination back through the ASA 5520 traffic located at the Home Office, on the VPN tunnels. In other words, I want the cable modem and DSL connections to route traffic strictly VPN encrypted to the Home Office and also behave like routers NAT for the local PC it.

    I can kill the 5505 prevents NAT for PCS in remote offices simply removing the rule dynamic NAT factory default for 'everything', but then I can't understand how to get my 5520 central to perform NAT which required of the remote PCs to talk to their service of Internet credit card processor without breaking the configs "NAT-free" necessary for VPN traffic to spoke-to-spoke to work. If I'm trying to put an entry static or dynamic NAT for a remote desktop on my 5520 ASA central, it breaks the VPN tunnel so that PC specific.

    Is that what I want to accomplish even possible with the ASA?

    Hi Neal,

    Yes, it's quite possible! below is a loss of things you need to do:

    (1) make sure of course on both the 5505 s of the ASA, you send ALL traffic from the local network through the VPN.

    (2) as Andrew mentioned, have the 'same-security-traffic permit intra-interface' command on the ASA 5520.

    (3) you do not have to have a configured proxy server, but it is also a good solution. But to make it work without her, assuming that the ASA 5505 remote subnets 192.168.1.0/24 and 192.168.2.0/24, add the config lines below to the ASA 5520:

    NAT (outside) 1 192.168.1.0 255.255.255.0

    NAT (outside) 1 192.168.2.0 255.255.255.0

    Global 1 interface (outside)

    Please note that 1 id, and the interface can be replaced according to the configuration you already have in place in the ASA 5520.

    I don't know what kind of NAT exemptions are at the origin of the questions for you, but if you can put a sanitized one of your ASA 5505 and ASA 5520 config, I can make suggestions concerning the exact configuration.

    Let me know if it helps!

    Thank you and best regards,

    Assia

  • Firefox cannot connect to the internet, while the other browsers can... have deleted the software and reinstalled... turned off firewall and virus program.

    Delete a few files TEMP this morning and AOL and Firefox no longer works. AOL will again and removed all traces of the first installation of Firefox and downloaded a new version of Firefox. The program opens, but it immediately goes into a status of "not responding" and appears in the tab 'connection '. Cannot click on anything on the Firefox screen. Need to go to the Task Manager to kill the program. Have removed and reinstalled several times. Disconnected the firewall and antivirus. Again and always get the same result. Tried in safe mode. Same result. Going on 8 hours of work on this thing. Need help badly. The system is a version update of XP.

    Thank you all, but I gave up. Tried all the suggestions without success. Put at disposal of the HDD with Windows XP and the problem of Firefox and loaded Windows 7 on a new drive. I had saved a file backup Favorites from the XP machine and successfully migrate the new hard drive. Thanks again.

  • McAfee Firewall and analysis

    I have a Center B520 idea with the following installed: -.

    NET BT more (McAfee) installed through my Internet BT package

    Upgrade of Windows 8 (which has updated to Windows 7, which was originally installed)

    Last week, a message appeared telling me that the McAfee Firewall and Anti Virus have been disabled.

    When I went to them I couldn't turn on them. I removed and then reinstalled BT Net more, but it has not fixed the problem.

    I thought then that I would do a system restore to an earlier date, but at the end of the present, I got the following error message:

    System restore failed during the removal of the following

    Path C:\Windows\System32\DRIVERS\b95df1c913bec87a.sys

    an unexpected error occurred 0x8007007b

    I also seem to have lost the ability to restore the complete system for the default option.

    Anyone has any ideas on what might solve this problem, and also, is there a way I can now restore the system to its original state with Windows 7

    Thanks for any help

    Hello solid,

    Sorry for the delay in response. I tried what you said but not good. The problem was because I had installed Windows 8 Upgrade over the original factory installation Windows 7. This disables the restore a key.

    I talked to technical Lenovo who pointed me in the direction of the restoration of disks. I now have these and have restored the computer back to its "factory settings (so the delay). The problem with McAfee has now been resolved.

    I think that the computer has been infected by a virus, but the cleaning system all corrected now.

    Thanks for your help.

  • I will still have my firewall turned on and off I do not know why but I tried another firewall, and it seems to work ok

    I had some trobele with my computer and had to take it when I got it. The firewall was working fine. I do not know

    If you date something on it so that it remains not.

    I will still have my firewall turned on and off I do not know why but I tried another firewall, and it seems to work ok

    Hey Roscoe,

    If you're still using MSE, I doubt there's this problem.  This made a few changes to the Windows Firewall during installation (if necessary), but certainly nothing that would cause it to turn on and off like that.  It could be malware (malware can cause anything), but frankly more sounds like a file systems or corruption or some type of problem with your Windows Firewall or security setting or your operating system in a more general sense rather than the malicious software.  I will refer you to experts who specialize in this kind of thing, but if they tell you it's a malware problem, then come back here and we will be happy to help you solve it.

    For that matter as described, please post here to get the best advice from specialists in this: http://answers.microsoft.com/en-us/windows/forum/security?tab=all which will be more than happy to help you.  You will probably need to uninstall the other firewall you have installed so they can diagnose the problem properly and without hindrance (not just disable it, but completely uninstall to be sure) - but they can tell you more on this subject.  Don't forget up next to the Windows Version to use the dropmenu to choose your version if you find yourself in the most appropriate forum for your system.

    I hope this helps.

    Good luck!

  • How to uninstall all firewalled and set up a new

    How safley uninstall a firewall and set up a new one?

    Hi JackieLynn

     

    1. what operating system is installed on the computer?
    2. don't you want to uninstall Windows Firewall?
    3. you have any third-party firewall installed on the computer?

    Do check and provide us with the information about the installed operating system-

    http://Windows.Microsoft.com/en-us/Windows7/help/which-version-of-the-Windows-operating-system-am-i-running

     

    In Windows 7, you cannot uninstall a firewall, you can simply enable the firewall MARKET (if you wish). Just please refer to the article below and use the steps provided to disable the firewall or ON -.

    http://Windows.Microsoft.com/en-us/Windows7/turn-Windows-Firewall-on-or-off


    WARNING:

    You should not turn off Windows Firewall unless you have another firewall is enabled. Turning off Windows Firewall may make your computer (and your network, if you have one) more vulnerable to damage caused by worms or hackers.

     

    I hope this helps.

Maybe you are looking for