— pissing into the wind

Archive
Networking

Noticed IPv6 DHCP was broken on all my Windows 10 clients after I upgraded to the anniversary edition (1607).  Had to run a couple powershell commands to get them pulling addresses:

Wired:

Set-NetIPInterface ethernet -AddressFamily ipv6 -RouterDiscovery Enabled
Set-NetIPInterface ethernet -AddressFamily ipv6 -ManagedAddressConfiguration Enabled

Wireless:

Set-NetIPInterface wi-fi -AddressFamily ipv6 -RouterDiscovery Enabled
Set-NetIPInterface wi-fi -AddressFamily ipv6 -ManagedAddressConfiguration Enabled

That’s it!

Read More

So I had an issue at work that went like this:  We recently put in new managed switches at our remote sites.  One of them failed and was replaced by our 3rd party subcontractor.  They just do a hardware replacement and my team does the configuration.  By default, the switches are configured to use 192.168.1.254 with no gateway info set.  There is only a web UI enabled by default as well.  I have to somehow open a browser and get access to that web console so I can configure the new switch.  I have an 1841 or 1921 router at the other end to configure to make this work.  NAT voodoo time.

The scenario:

NATNAT

The fix:

conf t

int f0/0
ip add 192.168.1.253 255.255.255.0
ip nat inside

int s0/0/0
ip nat inside

int l1
ip address 10.15.4.249 255.255.255.252
no shut

exit

router bgp 65000
network 10.15.4.248 mask 255.255.255.252

exit

ip nat outside source static 192.168.1.254 10.15.4.250
ip nat inside source static 10.210.23.8 192.168.1.100
ip route 10.15.4.250 255.255.255.255 f0/0 1

end

Now I can open a browser to 10.15.4.250 and it works.  When doing any commands reaching back to my computer (tftp), I used 192.168.1.100 as the server (tftp://192.168.1.100/startup-config) and that worked.

That’s it.

Read More

This is a copy/paste from https://forums.he.net/index.php?topic=3194.0.  I’m keeping it here in case that post ever disappears and I need a reference.

This isn’t something people do often, so I figured I would add a post about it (mostly so I can Google it myself in a few years…)
To configure Dynamic DNS (DDNS) updates on your NetScreen/SSG device (may vary slightly between revisions/models):
NOTE: You might also require PING/ICMP Echo Request to be enabled on WAN interface…
By default, DDNS uses HTTPS to connect to update server. You must add the CA certificate that signed the server’s certificate.  For tunnelbroker, connect tohttps://ipv4.tunnelbroker.net/nic/update – you don’t need to login so click cancel if prompted. To display the certificate click (or double-click) on the "padlock" next to "https" in the address bar.
– in Chrome, click "Connection" then "Certificate details"
– in IE, click the padlock then "View certificates" – (IE seems to have issues saving certificates to a file…)
Select the "Certification Path" tab
Double-click the entry immediately above(currently "Starfield Secure Certificate Authority – G2") the default/bottom one (e.g. tunnelbroker.net)
Select "Details" tab
Select "Copy to file"
Next / Base-64 / Browse – pick somewhere you can find it and a name you can remember, e.g. "starfield-2.cer"
Now, go to Web-UI on NS/SSG
Navigate to Objects – Certificates
Select "File: Choose File"
Find the cert you saved previously, OK
Select "Load"
Adding Certificates via CLI:
Not recommended as it requires storing the cert file on a tftp server, but read about it here: http://kb.juniper.net/InfoCenter/index?page=content&id=KB4777
The NS/SSG can now validate the certificate when it connects to update server!
Next, gather your tunnel information.
From https://tunnelbroker.net/ find your tunnel entry
e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
copy this hostname somewhere you can find it
Click on the tunnel entry
Click on the Advanced tab
Copy your Update Key somewhere you can find it
Now, the actual DDNS part….
Option #1: Web-UI
In NS/SSG Web-UI, navigate to Network / DNS / DDNS
Take note of any existing entries as you will be prompted for an ID number that is not currently in use…
Select "New"
Enter an unused ID number (1 is fine if you have no existing entries)
Set server type to "dyndns"
Set server name to "ipv4.tunnelbroker.net"
Defaults for update intervals should be fine
Leave "Clear text" unchecked – that is why we added the cert!
Enter your account name in "Username"
Enter your "Update Key" in Password
Leave Agent blank – it will auto-populate with your OS version, unless you want to put something else here
Bind to Interface – Select your WAN/untrust interface your tunnel is on
For "Hostname", enter your tunnel name – e.g. username-1.tunnel.tserv3.xxx1.ipv6.he.net
For Service, leave default of "dyndns"
Select OK!
Option #2: CLI:
get dns ddns  – take note of any existing entries as they must each have a unique ID number
set dns ddns id X server "ipv4.tunnelbroker.net"server-type dyndns
set dns ddns id X username USERNAME password UPDATEKEY
set dns ddns id X src-interface ethernet0/0 host-name username-1.tunnel.tserv3.xxx1.ipv6.he.net
set dns ddns enable
To view status:
-> get dns ddns
status: enable  usage: 1/8
id type   state server          username   interface  nextupdate   lastresp
——————————————————————————–
1 dyndns     1 ipv4.tunnelbrok username   eth0/0     6d;23:24:00  nochg
To view detailed status:
-> get dns ddns id X
Id:                     1
State:                  Init
Socket:                 -1
Type:                   dyndns
Server:                 ipv4.tunnelbroker.net
Clear-text:             no
Refresh-int:            7 days 0 hours 0 minutes 0 seconds
Min-update-int:         1 hours 0 minutes 0 seconds
Next-update:            6 days 23 hours 24 minutes 0 seconds
Username:               username
Password:               **********
Agent:                  Netscreen-6.X-00000
Src-interface:          ethernet0/0
Host-name:              username-1.tunnel.tserv3.xxx1.ipv6.he.net (dyndns)
Last-response:          nochg
Last-response-ip:       0.0.0.0
Last-Updated:           before 36 minutes 8 seconds
Counters
——————————————————————————–
Successful updates:     3
Failed updates:         0
Server lookup failures: 5
Socket creation errors: 0
Socket connect errors:  3
Socket send errors:     0
Update retries:         0
To debug / troubleshoot:
From CLI:
Cancel debugging / clear buffer:
-> undebug all   (or press <ESC>)
-> clear dbuf
Enable DDNS debugs:
-> debug dns ddns
View dbuf:
-> get dbuf stream
Errors that show DNS is working:
ddns: server ipv4.tunnelbroker.net resolved to 64.62.200.2
Errors that show SSL issue:
DDNS: connect error
socket creation failed
Successful update:
ddns: server ipv4.tunnelbroker.net resolved to 64.62.200.2
GET /nic/update?system=dyndns&hostname=username-1.tunnel.tserv3.xxx1.ipv6.he.net&myip=XXX.XXX.XXX.XXX&wildcard=OFF&mx=mail.exchanger.ext&backmx=NO&offline=NO HTTP/1.0
Accept: text/html;*.*;
Host: ipv4.tunnelbroker.net
….
nochg XXX.XXX.XXX.XXX
….
ddns: succesfully updated DYNDNS server
The "nochg" means the updated IP matches the existing one, so "no change".
Don’t forget to cancel debugging with "undebug all" or pressing "<ESC>"
Brian

Read More

The antivirus server at work was pissing me off and saturating our OC3.  I policed it down to 50mbps.

ip access-list extended traffic-police
permit ip host 192.168.0.100 any

class-map traffic-police
match access-group name traffic-police

policy-map traffic-police
    class traffic-police
        police 50000000 conform-action transmit exceed-action drop

int po1/0
service-policy output traffic-police

Read More

ip wccp version 2
ip access-list standard WCCP_Proxies
10 permit host 192.168.10.80
20 permit host 192.168.11.80

ip access-list extended WCCP_Redirect
10 deny ip host 192.168.10.80 any
20 deny ip host 192.168.11.80 any
30 permit ip 10.16.0.100 0.15.255.0 any

ip wccp 0 group-list WCCP_Proxies redirect-list WCCP_Redirect

int vlan 10
ip wccp 0 redirect in

Read More

… My dad changed ISPs and took the SSG5 I gave him offline.  I had to disable the VPN on my side because it was spamming the logs.  If I ever need to re-enable it, all I need to do is bind it to tunnel.1 and re-enable monitor, optimized, and rekey.

Read More

i’m currently working on a wireless deployment with a requirement to use mac filtering.  There are over 600 laptops being deployed to a unique location per laptop.  Part of the imaging process doesan ipconfig and dumps the output to a text file which I can then use to copy/paste the hostname and mac into the Cisco 8510 wireless controller.  I’m lazy, so I made a bash script to parse the ipconfig text files. I wish I knew how to do this in Windows, but I work with what I got. The script takes this input from a text file:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : GU0123LT01
   Primary Dns Suffix  . . . . . . . : guammie.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : guammie.com

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Ralink RT5390R 802.11b/g/n 1×1 Wi-Fi Adapter
   Physical Address. . . . . . . . . : B8-76-3F-25-34-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : B4-B5-2F-8D-BF-2B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.53
   NetBIOS over Tcpip. . . . . . . . : Enabled

And generates this command line that I can just copy/paste into the controller:

config macfilter add B8:76:3F:25:34:4D 18 guunit-clients "unit 0123 laptop"

Here’s the script.  It’s not the cleanest, but it works:

#!/bin/bash
FILES=/home/donovan/macs/*.txt
for f in $FILES
do
  # take action on each file. $f store current file name
  hostname="$(awk ‘/Host Name/ {c=1}c–>0’ $f | sed -n ‘/\<Host Name\>/ s/.*[[:space:]]\([[:alnum:]]\+\)$/\1/p’ | awk ‘{print substr($0,3,4)}’)"
  mac="$(awk ‘/Ralink RT5390R/ {c=1;next}c–>0’ $f | awk -F ‘Physical Address. . . . . . . . . : ‘ ‘{print $2}’ | sed ‘s/\-/\:/g’)"

echo "config macfilter add $mac 18 guunit-clients \"unit $hostname laptop\""

done

That’s it.

Read More

I upgraded ASDM from 6.4.(5)106 to 6.4(5)204 and the launcher broke.  Running it as a web app still worked though, so I figured it had to do with the way the shortcut was setup.  Here’s a comparison of the two:

106:

C:\Windows\SysWOW64\javaw.exe -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher

204:

"C:\Program Files (x86)\Cisco Systems\ASDM\asdm-launcher.jar" -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar

I changed the shortcut back to the old format and it worked.

Read More

for /L %x in (1,1,255) do @ping -n 1 192.168.0.%x -w 100 | find “Reply”

This works right in CLI

Read More

A few weeks ago, I was banging my head on the table trying to get the management port group working on a nic team/etherchannel for a client.  They use Netgear switches, so I was kinda feeling my way through the GUI to make it work.  Everything looked right, but I still couldn’t get the stupid etherchannel working.  Everytime I plugged both nics in on the 2 nic channel, the link would drop.  It would come right back up when I removed one of the links.  I got fed up and blamed the switches.

Normally when you create an etherchannel you also go into the vswitch properties and enable “Route based IP hash” for the load balancing algorithm.  As it turns out, THE MANAGEMENT NETWORK PORT GROUP DOES NOT INHERIT THIS SETTING IN 4.1.  I followed the instructions tonight and the etherchannel works like a champ now (again?) at the client site.

%#$@%#$!!!

Read More

Promiscuous mode needs to be enabled on the vSwitch if you are using bridge mode.  Remember that before you facepalm.

Read More

Setting up VPNs is always a PIA, but Juniper really dumbs it down and I have to say really spoiled me.  So when it came time to setup another VPN with a partner who is running an ASA, I had to shake off the rust and think of what could go wrong.  Most of the time I set up tunnels with non-Juniper devices, it ends up being a wrong proxy-id on either side.  You can usually tell this when you see “DOI 1 18 INVALID-ID-INFORMATION” or “No policy exists for the proxy ID: local(local ip/netmask/0/0) remote(remote ip/netmask/0/0)”.   ScreenOS derives the proxy-id from the tunnel, so I normally don’t worry about setting this up, but of course it only works as designed when you connect to other ScreenOS devices.  I don’t know if the SRX platform behaves the same way since it’s running JunOS.  I caught this error message and we managed to get the tunnel going, but no traffic was passing through.  Being a Friday night and this not being a critical issue at the moment, both sides decided to come back to it later.

I have a couple Cisco routers and Juniper SSGs at home for a lab.  I recently picked up an ASA 5505 off of eBay as well and decided to give the configuration on both sides a try to figure out what is going wrong.  Beyond setting up AAA, ntp, and the rest of the management stuff, I have not really had time to do anything with the ASA.  I have experience with IOS from a router and switch perspective, but I’ve never touched PIX.  All of my firewall experience is with Fortinet, ScreenOS, and whatever linux distros I’ve tried (Astaro comes to mind).

Cisco’s documentation being as awesome as it is, that is the first place I went to figure out what to do:

I’m not one to use a GUI with Cisco devices, so I went through some configuration examples and the cli configuration guide as a first pass to get the tunnel up and running.  I managed to do this, but I couldn’t connect anything beyond the inside interfaces on either gateway and only gateway to gateway.

So I wiped the ACLs and crypto config I put in and fired up ASDM.  I used the IPSEC VPN Wizard and kept flipping back to my console to see what changes it was making.  One of the first things that caught my eye was the option to “Enable inbound IPSEC sessions to bypass interface access list.”  Not having experience with setting up Cisco VPNs before, I thought, “Why on God’s green Earth would I not have policies to control that traffic?” Yes, it’s implied that I trust the other side to some degree if I’m setting up a VPN tunnel, but I still want fine grain control of the communication.  That checkbox leaves the default setting “sysopt connection permit-vpn” intact.  This does exactly what the description says on the checkbox.  Without it, you have to setup multiple ACLs to get tunnel traffic working properly because the traffic terminates on the outside interface of the ASA.

gp01

I setup a working VPN with and without that box checked, and I decided to go with it checked.  As it turns out, you can use filters on the connection group policy to control exactly what passes through the tunnel.  In this basic lab without the box checked, I had to add an additional 3 policies to get traffic moving through the tunnel.  This might not seem like a hassle, but this is just a lab with a single site to site.  Extrapolate that complexity when you start adding multiple sites.  There may be some scenarios where filters just won’t be sufficient, but for what I need to do at work, they will accomplish the task.

gp02

Excerpt from Troubleshooting Guide:

Note: If you do not wish to use the sysopt connection command, then you must explicitly permit the required traffic, which is interesting traffic from source to destination, for example, from LAN of remote device to LAN of local device and “UDP port 500” for outside interface of remote device to outside interface of local device, in outside ACL.

http://networking-forum.com/viewtopic.php?f=35&t=3310

According to chapter 21 of The Complete Cisco VPN Configuration Guide, the way to do what I am asking is to write manual access lists to permit ipsec/isakmp traffic.

Using this method, one must manually write access lists to permit all ports used by ipsec/isakmp components to allow this traffic into a firewall. This method makes it so packets are checked against access lists twice: once when coming in as ipsec traffic, and again once decrypted as plaintext packets. This allows one to match only desired traffic using the second, more stringent access list.

The alternative is using the “sysopt connection permit-vpn” command. This is also known as ACL bypassing, hence, you cannot restrict traffic further, since the access lists are written for you using this command.

Another method (usable only for 7.0 and higher) is using the “sysopt connection permit-vpn” command on an outside interface, and writing more restrictive access lists outgoing on an inside interface. This method enables one to allow all ipsec/isakmp traffic into the firewall while restricting where the traffic can go from there.

The second thing that caught my eye was a NAT policy that gets added:  nat (any,any) source static local local destination static remote remote.  This command makes no sense to me, and I most of the online research I did regarding NAT had a different syntax.  Cisco changed the NAT syntax in 8.3.  Prior to, it was the same as PIX.

Again, Juniper just completely dumbs this down and I never had to configure anything like this.  I’m not a big fan of any-any policies, so I’m going to do some further research on tightening this down later.

For now, here is the setup and working configs for an SSG5 to ASA5505 VPN with and without sysopt enabled.

vpn

Configs:
ASA sysopt
ASA no sysopt
SSG

Read More