anon.ms anon ms it guy: more than break-fix

25Nov/090

Exmerge

Hey,

Windows Small Business Server 2003 has an Exchange limit of 75GB per mailbox store, and only 1 mailbox store allowed (for the Standard version of Exchange).

When clients reach this limit, we usually Exmerge to PST files.

It is such a hassle because it takes so much time to work out a date range that will get close to 2gb but not exceed it.

Here's a tip: exclude the Contacts folder! I always forget this and people wonder where their contacts have gone.

anon ms.

Tagged as: , , , No Comments
23Nov/090

My Standard XP Install/Setup

Hopefully you're like me and love to trim all the fat.

Whenever I touch a clients (XP Pro) computer or do a new install, this is what I do (with permission):
Right click My Computer, Properties, Advanced, Performance Settings, Adjust for best performance, Tick the following: Show window contents while dragging, Smooth edges of screen fonts, Use drop shadows for icon labels on the desktop, and only if the user REALLY wants it: Use visual styles on windows and buttons.

Then:
Start, Run, services.msc, enter.

Make all of these start up manually:

Cryptographic Services
Distrubuted Link Tracking Client
Error Reporting Service
Help and Support
IPSec Services
Logical Disk Manager
Remote Registry (unless in a corporate environment)
Secondary Logon
Security Center
System Restore Service (I've never ever had to use it)
Themes (unless customer really wants it)
WebClient
Windows Firewall/ICS
Windows Image Acquisition (I've had this stall on startup sometimes when set to Automatic. Takes forever)
Wireless Zero Configuration (Unless it's actually got a wireless card and they're not using the third-party applications).

Install CCleaner (www.ccleaner.com)

Tick all except:
Internet Explorer history,
Recently typed URLs,
Autocomplete Form History,
Recent Documents,
Run (in Start Menu),
Search Autocomplete,
Other Explorer MRUs,
Empty Recycle Bin,
Wipe Free Space

In CCleaner, goto Tools -> Startup and aggressively delete all the startup items you can (I always ask the Customer if they need any before I do it. Most of the time they don't.)

Install Defraggler (www.defraggler.com)
Schedule a daily/weekly defrag

Install VNC (if you use it)

Enable Remote Desktop (Right Click My Computer, Properties, Remote Tab, Allow users to connect remotely to this computer)

Add Domain Users to Local Administrators (if on an Active Directory Domain)

(I KNOW people will get upset with everyone being a local Administrator. Yes there are downsides, but so far they don't outweigh the benefits (in my opinion). So many times software will not run because of insufficient rights.)

Remove the annoying language bar for good.

Change the keyboard repeat delay to Short and make sure repeat rate is fastest.

Change resolution to at least 1024 x 768

And that should be it!

If I have time, I install Windows XP PowerToys to remove the menu hover delay entirely. If it's an elderly user, or one that lacks some dexterity, I don't do this. I prefer a snappier interface, but some people lack the mouse control.

I still wonder why with all this computing power things are still so slow. 7 years ago we were sending emails, writing up word documents, playing with excel formulas, and wasting time on the web. Now, we are sending emails, writing up word documents, playing with excel formulas and wasting time on the web at the SAME SPEED DESPITE SUCH AN INCREASE IN CPU/RAM/HDD.

The eye candy is making us fat and slow.

anon ms.

23Nov/090

Directing HTTP Traffic onto Another Link

Hello,

A client of mine unfortunately cannot get ADSL2+ at their new office. They have 3 ADSL1 services instead.

We decided to use one for HTTP/HTTPS traffic to take some of the load off their primary link.

You can use Policy Based Routing to do this.

Numbers:
Default Gateway: 192.168.1.1
Secondary DSL router: 192.168.1.2
Vlan1 Address: 192.168.1.1

First, define an access list that selects your interesting traffic:
access-list 180 remark *** Select HTTP/HTTPS Traffic ***
access-list 180 permit tcp 192.168.1.0 0.0.0.255 any eq 80
access-list 180 permit tcp 192.168.1.0 0.0.0.255 any eq 443

Next, define a route-map that matches the interesting traffic, and sets the next-hop IP address.
route-map WebTraffic permit 10
match ip address 180
set ip next-hop 192.168.1.2

Apply it to the vlan interface
interface Vlan1
ip policy route-map WebTraffic

If, for example, they were hosting services on the second line using a server at 192.168.1.49, you can select more interesting traffic:
access-list 180 remark *** SELECT HTTP/HTTPS Server Traffic ***
access-list 180 permit tcp host 192.168.1.49 eq 80 any
access-list 180 permit tcp host 192.168.1.49 eq 443 any

anon ms.

20Nov/090

Renaming a Network

Hey,

To make my life easier, I often set up site-to-site VPNs to the clients my own company looks after.

I sometimes set up site-to-site VPNs to the larger clients of my employer.

I encountered a problem recently where my Client's and my Employer's Client's subnets were the same: 192.168.0.0/24.

I knew what needed to be done, but whether or not it was possible I was not sure.

Basically I had two options:
1. Change the source as it left one of the client's, and change the destination on it's way back
OR
2. Change my destination as it left my network, and change the source as it came back.

Even though I had full access to both Clients' routers, I thought it would be better if I did it on my own company's router. Option 2.

So, from my previous posts you will see that I particular like Tunnel interfaces.

I did some research, and found I had to change my usual Tunnel interface and define it as an outside nat interface.

Example:
MyRouter(config)# interface Tunnel9
MyRouter(config-if)# ip unnumbered Vlan1
MyRouter(config-if)# ip nat outside
MyRouter(config-if)# tunnel source Dialer0
MyRouter(config-if)# tunnel destination A.A.A.A
MyRouter(config-if)# tunnel mode ipsec ipv4
MyRouter(config-if)# tunnel protection ipsec profile ipsecProfile

I then needed to define my rules for translation, plus a new route.

ip nat inside source static network 192.168.9.0 192.168.0.0 /24
ip nat outside source static network 192.168.0.0 192.168.9.0 /24
ip route 192.168.9.0 255.255.255.0 Tunnel9

Works perfectly, although I find the terms REALLY confusing!!!

Of course I will need a corresponding route on the remote router back to my network.

ip nat inside source static will change the SOURCE on its way OUT, and DESTINATION when it comes back in. (Compare this to a usual ip nat outside on a Dialer for internet sharing).
This seems counter-intuitive as the Tunnel interface is ip nat outside. When traffic goes out via the Tunnel, it is essentially going in->out, then why is the SOURCE not changed? The source will always be from my Vlan1, correct?

I can't explain this one. Any help is appreciated!

Also:

show ip nat translations will give:

Pro Inside global Inside local Outside local Outside global
--- ---           ---          192.168.9.0   192.168.0.0
--- 192.168.0.0   192.168.9.0  ---           ---

19Nov/090

Use your Cisco as a PPTP VPN Server

Hey,

If you're lazy like me and wish to set up a PPTP VPN Server instead of a Cisco IPSec one, you can with Virtual Private Dialup Networking (VPDN).

It's pretty easy.

In this example I will not be configuring any authentication other than local.

RouterA(config)# aaa authentication ppp default local

Enable Virtual Private Dialup Networking

RouterA(config)# vpdn enable

Define a VPDN Group, specify protocol and assign a Virtual Template interface. This will be used for incoming connections.

RouterA(config)# vpdn-group MyPPTPGroup
RouterA(config-vpdn)# accept-dialin
RouterA(config-vpdn-acc-in)# protocol pptp
RouterA(config-vpdn-acc-in)# virtual-template 1

Define some servers on your local network. These will be assigned to PPTP Clients.

RouterA(config)# async-bootp dns-server 192.168.0.32
RouterA(config)# async-bootp nbns-server 192.168.0.32

Set up the Virtual Template interface

RouterA(config)# interface Virtual-Template1
RouterA(config-if)# ip unnumbered Vlan1
RouterA(config-if)# peer default ip address pool PPTP-Pool
RouterA(config-if)# no keepalive
RouterA(config-if)# ppp encrypt mppe 128
RouterA(config-if)# ppp authentication ms-chap ms-chap-v2

Specify our local address pool

RouterA(config)# ip local pool PPTP-Pool 192.168.0.200 192.168.0.210 ! Same range as my Vlan 1

To see who's connected, do a show users

Nice and easy huh? At least we don't have to worry about pushing Cisco VPN Clients to everyone.

anon ms.

Tagged as: , , , No Comments
19Nov/090

Site-to-Site VPN with Virtual Tunnel Interfaces

Hey,

There are many ways to create Site-to-Site VPNs. One method that I like uses Virtual Tunnel Interfaces with optional IPSec encryption.

This method allows you to create a virtual interface and you are able to see if the tunnel is up/down.

I will be using IPSec in this example, and I assume both sites have Static IP addresses.

This example pretty much has 5 things involved: isakmp policy, isakmp key, transform set, and the actual tunnel interface, and of course a static route pushing other-site traffic across it.

First, define your ISAKMP Key to identify each side:

RouterA(config)# crypto isakmp key P455word address B.B.B.B

Next, define your ISAKMP policy:

RouterA(config)# crypto isakmp policy 1
RouterA(config-isakmp)# encr 3des
RouterA(config-isakmp)# authentication pre-share
RouterA(config-isakmp)# group 2

Then define your IPSec Transform Set:

RouterA(config)# crypto ipsec transform-set ipsecTransformSet ah-sha-mac esp-3des

Now we are ready to define our Tunnel Interface:

RouterA(config)# interface Tunnel1
RouterA(config-if)# description *** Tunnel to RouterB ***
RouterA(config-if)# ip unnumbered Vlan1
RouterA(config-if)# keepalive 10 3
RouterA(config-if)# tunnel source A.A.A.A
RouterA(config-if)# tunnel destination B.B.B.B
RouterA(config-if)# tunnel mode ipsec ipv4
RouterA(config-if)# tunnel protection ipsec profile ipsecProfile

I personally like to limit the number of IP addresses I need to worry about, hence the use of ip unnumbered Vlan1. Other configurations include a different subnet (most likely a /30) to identify each side of the tunnel. This means you can ping the other side of the Tunnel if you wish.

Now we can identify our static route:

RouterA(config)#ip route 192.168.0.0 255.255.255.0 Tunnel1 permanent

I add the permanent option here so that in the event the Tunnel is down, it does not go across the default route, usually a Dialer which goes out the internet.

If you are having trouble getting your Tunnel up, make sure you are not denying any IPSec or GRE traffic on your WAN connection and that you have the correct isakmp keys and addresses defined on both routers.

You may like to debug crypto isakmp and crypto ipsec to see what's going on.

You can temporarily leave your tunnel unsecure by removing:
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsecProfile

The RouterB configuration will be the same except for the isakmp key (at address A.A.A.A) and the Tunnel interface source and destinations switched around.

Hope that helps,

anon ms.

Disclaimer: I don't know enough Cisco to answer all the questions regarding IPSec and Virtual Tunnel Interfaces. For all intents and purposes, I have no idea what I'm doing!

16Nov/090

IPSec VPN Remote Access

Morning,

My weekend was dedicated to my new toy.

I bought a HWIC-3G-GSM the other day and finally had 2 connections to the internets. eBay is evil.

I also have a WIC-1AM but it's too slow/frustrating to do anything interesting. eBay is evil.

If you want some great info on how to set up the 3G HWIC, go here http://whirlpool.net.au/wiki/?tag=3G_for_Network_Engineers. Without it, I wouldn't have got anywhere.

I was trying to replicate a scenario that a colleague had whereby roaming users would connect via IPSec on the 3G interface. The 3G interface would also be used for redundancy in case the primary link (I assume DSL of some sort) was down.

I'd never done a config for IPSec Remote Access so this was another learning experience. I've only ever done tunnel interfaces site-to-site protected by IPSec transform sets.

In a nutshell, this is what you can do:

(I apologize for the lack of detail. I'm the sort of person to hack something together and then randomly change things to see what happens. I'm only a CCNA at present and learning VERY slowly, often the hard way. For all intents and purposes, one can safely assume that I have no idea what I'm doing.)

  1. Enable AAA. These will define the authentication methods for your remote IPSec clients. I'm using local authentication. You'll need to set up local users (username administrator password test)
    aaa new-model
    aaa authentication login vpnuserauth local
    aaa authorization network vpnusers local
    aaa session-id common
  2. Define a local IP pool for your VPN users. These will be the IP addresses assigned to remote access clients.
    ip local pool vpnpool 192.168.0.1 192.168.0.12
  3. Define an ACL to identify your traffic to be encrypted
    access-list 123 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
  4. Define a crypto isakmp policy. This policy must be matched by the VPN Client. I've been using this one for my site-to-site tunnels and this works with the Cisco VPN Client too.
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
  5. Define a crypto ipsec transform set. As far as I know, this defines the encryption & hash algorithms to run on your data.
    crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
  6. Define a dynamic crypto map. Like a normal crypto map, but not all fields required. Only required field is the transform-set.
    crypto dynamic-map vpndynmap 1
    set transform-set vpnset
  7. Set up a crypto map that specifies authentication methods and links the dynamic map to it.
    crypto map vpnmap client authentication list vpnuserauth
    crypto map vpnmap isakmp authorization list vpnusers
    crypto map vpnmap client configuration address respond
    crypto map vpnmap 1 ipsec-isakmp dynamic vpndynmap
  8. Define a crypto client group and client settings
    crypto isakmp client configuration group vpnusers ! vpnusers is the group authentication used in the VPN Client
    key Passw0rd
    dns 10.0.0.32 ! you can set up dns and wins etc. see ? help for more options
    wins 10.0.0.32
    domain mydomain.com
    pool vpnpool ! from Step 1
    acl 123! identifies what traffic is to be encrypted
  9. Assign the crypto map (vpnmap) to the appropriate WAN interface. Make sure you are not blocking IKE/IPSec traffic on the interface.
  10. I don't know if this is required, but if you are NAT'ting on the interface (eg Dialer 3), you may want to disable NAT for traffic going from local -> VPN Client (10.0.0.0 -> 192.168.0.1)
  11. I don't know if this is absolutely required either, but a route for 192.168.0.0 via Dialer 3 wouldn't be a bad idea.

So far so good, VPN Clients worked fine via the 3G interface. Now to make it do some NAT so I can browse through it.

I set up the Dialer 3 as ip nat outside and attempted to NAT traffic through it.

I also have Dialer 0 as my default route, and also an outside NAT interface.

Rookie Mistake #1

I had two NAT statements that I thought would cover it, provided I routed through the correct interface.

ip nat inside source list 100 interface Dialer 0 overload ! DSL
ip nat inside source list 103 interface Dialer 3 overload ! 3G
access-list 100 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 103 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 10.0.0.0 0.0.0.255 any

So, off I go and make a static host route to a (business) client of mine and see if I can go via my 3G... No luck. Pings would timeout. Telnets to the SMTP server on the other end would fail. Funny enough, I could telnet to the mail server directly from the router, do an ehlo and it would show me the 3G IP address. It appeared that NAT wasn't working correctly. I started getting worried thinking: oh great, you just signed up for mobile internet & bought an expensive toy and it doesn't even work!

Rookie learns to "debug ip nat"

Debugs returned this: NAT: translation failed (A), dropping packet

Google returned 1 suggestion that I should enable ip subnet-zero. Clutching at straws, I did so even though it's now a default (just in case!). No change.

Then it hits me. It's trying to use the Dialer0 IP address while going out Dialer3, hence the failure. I obviously need to link the outgoing interface to the correct NAT statement.

Enter: ip nat inside source route-map

I've always wondered why anyone would use a route-map as a nat source. Now I know.

To link the outgoing interface to the correct address, I did the following:

route-map dslTraffic
match interface dialer0
match ip address 100

route-map celTraffic
match interface dialer3
match ip address 103

I then changed the 2 nat statements above to:

ip nat inside source route-map dslTraffic interface dialer0
ip nat inside source route-map celTraffic interface dialer3

Tada!

I didn't have time to do failover, but it can't be that hard? Can it?!?

anon ms.