Dear AOL user: be brave

Dear AOL user,
     Please don't use the Internet to do your dirty work.  If you don't want email from someone you know, then please simply contact them and tell them so.  Don't use the Internet to do your dirty work for you.  There are two reasons you should take direct action:

1. It doesn't work.  When you mark an item as spam in your AOL inbox, it sends a message to the ISP of the person who sent that message.  In the case of actual Unsolicited Bulk Email, this might be the appropriate thing to do, but when it's from an actual person who really put your address in the "TO:" field, it is definitely the wrong thing to do.  This subjects ISP technicians the world over to reading the pithy, lolcats-laden, sentimental stuff you didn't want in the first place.  COME ON!  It will not block that person from sending to you; they never find out.  In addition, AOL redacts your email address from the original message so we cannot even tell our customer who it is that doesn't want their email.  In the end, it's a waste of everyone's time.  But more importantly:
2. It's the right thing to do.  Ethically, I think email should be treated like regular postal mail or notes passed in class; you should acknowledge receipt.  If you don't want that type of email, just let the sender know.  With any luck, they're adults and will accept it.  If not, then what have you really lost?

 Please, please, please do the human thing.  You know those tee-shirts that nerds wear that say "I read your Email"?  Well, this is one of the few things that actually makes us do that and, trust me, we have better things to do.  Thank you.

Signed,
The Management

Cisco ASA 7.2 PPPoE Lan-to-LAN IPSEC with conditional NAT Template

This is a pretty standard config, except for the conditional NAT.  So in this case, only certain local IP addresses (host in network-object LocalHostsToNATtoVendor01) will match the VPN tunnel, and will be NATted before hitting the tunnel.

!ASA Version 7.2(4)
!
enable password ********** encrypted
passwd ********** encrypted
names
!
interface Vlan1
description LAN
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
pppoe client vpdn group MyPPPUserName
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object-group network RemoteVendor01
network-object 192.168.64.0 255.255.248.0
! 
object-group network LocalHostsToNATtoVendor01
network-object host 10.10.10.150
network-object host 10.10.10.151
network-object host 10.10.10.152
network-object host 10.10.10.153
network-object host 10.10.10.154
network-object host 10.10.10.155
network-object host 10.10.10.156
network-object host 10.10.10.157
! 
access-list outside_1_cryptomap extended permit ip 172.16.6.24 255.255.255.248 192.168.64.0 255.255.248.0
access-list inside_nat0_outbound extended permit ip 172.16.6.24 255.255.255.248 192.168.64.0 255.255.248.0
! 
access-list LocalHostsToNATtoVendor01 remark conditional NAT
access-list LocalHostsToNATtoVendor01 extended permit ip object-group LocalHostsToNATtoVendor01 object-group RemoteVendor01
!
!define two NAT pools, one pool of IPs, the other the outside interface address
global (outside) 1 172.16.6.24-172.16.6.31
global (outside) 2 interface
!don't nat some hosts
nat (inside) 0 access-list inside_nat0_outbound
!do NAT this ACL
nat (inside) 1 access-list LocalHostsToNATtoVendor01
nat (inside) 2 10.10.10.0 255.255.255.0
!
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 192.152.45.12
crypto map outside_map 1 set transform-set ESP-AES-192-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 28800
!
vpdn group MyPPPUserName request dialout pppoe
vpdn group MyPPPUserName localname MyPPPUserName
vpdn group MyPPPUserName ppp authentication pap
vpdn username MyPPPUserName password *********
!
tunnel-group 192.152.45.12 type ipsec-l2l
tunnel-group 192.152.45.12 ipsec-attributes
pre-shared-key *
!
! here's an interesting feature
smtp-server 10.45.26.2
prompt hostname context

blocking opportunists with Fail2ban

Fail2ban is a great package, and I've been using it a lot lately.  It's extremely simple, flexible and effective.  Out of the box it comes with some nice filters for scraping web server logs for those IPs looking for exploits on your web server.  My web server has basic password authentication enforced, so most folks wouldn't even get to those pages if they tried, but I still don't like the idea of folks trying to brute force their way in. So I recently added a new filter for banning IPs who get a number of HTTP 401 401, access denied, Unauthorized errors (I might expand this to include 403 or 404 errors as well).  It was easy:


1) define a new filter:

[root@noc tacacs]# cat /etc/fail2ban/filter.d/apache-badURLs.conf

[Definition]

# adapted from apache-auth.conf

# Option: failregex

# Notes.: regex to match jerks trolling for exploits.

# The host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P\S+)
# Values: TEXT

#examples:
#115.168.71.85 - - [25/Jul/2010:09:48:04 -0700] "GET /websql/scripts/setup.php HTTP/1.1" 401 479 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6"
#209.168.161.229 - - [25/Jul/2010:21:32:03 -0700] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 401 479 "-" "ZmEu"
#unknown.ord.scnet.net - - [28/Jul/2010:14:35:05 -0700] "GET /mysql/scripts/setup.php HTTP/1.0" 401 482 "-" "Wget/1.11.4 Red Hat modified"

failregex = .*\"GET.*HTTP.*\" 401 \d{3}
# end apache-badURLs

2)  make a new jail in /etc/fail2ban/jail.conf:

[apache-badURLs]

enabled = true

#name of the file in /etc/fail2ban/filter.d/ which will define the match criteria

filter = apache-badURLs

action = hostsdeny

#ban IP address outright

action = iptables-allports

#send email to the WHOIS contact in charge of the IP address, for abuse tracking and follow-up

sendmail-whois[name=badURLs, dest=me@example.com, sender=fail2ban@example.com]

#define which logs to search.  This string would include both "access_log" and "ssl_access_log"

logpath = /var/log/httpd/*access_log

# how many times will you put up with it before running the action?

maxretry = 3

#end apache-badURLs section

That's pretty much it.  The actions are additive and can include emailing the contact, yourself, banning only certain ports etc.  The action could also include adding the IP to your perimiter firewall's ACL via ssh (I haven't tested this but probably will) or just about any scriptable function.

A few notes:  This was designed for a private site.  If you run a public site which you want well marketed, you may end up blocking Google, Yahoo etc when their spiders crawl your site.  I'm not sure how that would work. 

How to disable speed and duplex auto-negotiation on Cisco 2960

If you're having trouble finding the "speed" and "duplex" options for the Gigabit Ethernet ports in the interface configuration of your Cisco 2960, try manually setting the interface type.

swith01#sh run int gi0/1
Building configuration...

Current configuration : 126 bytes
!
interface GigabitEthernet0/1
switchport mode trunk
end

swith01#conf term
Enter configuration commands, one per line. End with CNTL/Z.
swith01(config)#int g0/1
swith01(config-if)#speed ?
% Unrecognized command
swith01(config-if)#media-type ?
auto-select Use whichever connector is attached
rj45 Use RJ45 connector
sfp Use SFP connector

swith01(config-if)#media-type rj45
swith01(config-if)#speed ?
10 Force 10 Mbps operation
100 Force 100 Mbps operation
1000 Force 1000 Mbps operation
auto Enable AUTO speed configuration

swith01(config-if)#speed 100
swith01(config-if)#dupl
swith01(config-if)#duplex ?
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation

swith01(config-if)#duplex full
swith01(config-if)#end
swith01#sh run int
*Mar 1 00:04:04.318: %SYS-5-CONFIG_I: Configured from console by localuser on consolegi0/1
Building configuration...

Current configuration : 167 bytes
!
interface GigabitEthernet0/1
switchport mode trunk
media-type rj45
speed 100
duplex full
end

Quick and easy LAN-to-LAN VPN for Cisco ASA

The Scenario:
You want your workstation at H.Q. at your.local.subnet.15 to be able to Remote Desktop (TCP3389) to you server at your.remote.subnet.34. Your remote branch has a WAN IP address of your.remote.wan.29:

!
! Define "interesting" traffic to determine which traffic gets encrypted.
! In this case it's any packet from the local box with a destination address of the remote server, TCP port 3389 and ICMP traffic.
! Note that THIS ACL must be exacly the same, with source and destination addresses reversed, on the IPSEC peer at the other end.
! If you don't control both peers then it may be advisable to use simple host-based ACLs and leave off the ports.
! Naturally, this is less secure that specifying the ports here.  You can always add an additional ACL (which doesn't have to match at the far end)
! on the tunnel-group with the "vpn-group-policy" option.
!
access-list outside_60_cryptomap extended permit tcp host your.local.subnet.15 host your.remote.subnet.34 eq 3389
access-list outside_60_cryptomap extended permit icmp host your.local.subnet.15 host your.remote.subnet.34
!
! Define IKE Phase I Parameters
! IKE Phase I authenticates IPSec peers and negotiates IKE SAs during this phase.
! This sets up a secure channel for negotiating IPSec SAs in phase 2.
!
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 14400
!
! Define IKE Phase II IPSEC transformations
! IKE Phase II negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.
!
crypto ipsec transform-set esp-aes-md5 esp-aes-256 esp-md5-hmac
!
!
! NAT considerations
! You may want to disable NAT across the IPSEC tunnel.  In a SMB environment, there is probably no need or desire to source NAT.
! So, add and additional line to your existing nat exception ACL or create one.  Here, we add a line to the existing inside_nat0_outbound ACL.
! This bit is a bet beyond the scope of this article
access-list inside_nat0_outbound extended permit ip host your.local.subnet.15 host your.remote.subnet.34
!
! Define the IPSEC peer and its IKE Phase II.  PFS is optional
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer your.remote.wan.29
crypto map outside_map 60 set transform-set esp-aes-md5
! optionally enable Perfect Forwarding Secrecy.  Disabled by default.  It's more secure, but requires more processor.
crypto map outside_map 60 set pfs group5
! optionally enable aggressive mode (off by default and not encouraged).  Aggressive mode is faster to setup but less secure.
crypto map outside_map 60 set phase1-mode aggressive
!

! Define the tunnel-group peer address and Pre-Shared Key.  This is also where you configure address-pool, deafult-group-policy
tunnel-group your.remote.wan.29 type ipsec-l2l
tunnel-group your.remote.wan.29 ipsec-attributes
pre-shared-key #your.complex.key.here#
!
! Attach it to the outside interface.  Note that you'll use your outside intefaces "ifname" and it IS case sensitive.
! If you already have IPSEC running then this is already done.
crypto map outside_map interface Outside
crypto isakmp enable Outside
!

limiting access for Remote Access IPSec clients on a Cisco ASA

So you have a Cisco ASA and you want to limit a particular user's access.  It's a common scenario and one that's pretty simple to deal with.  This works for 7.2(3) and I believe the commands are the same for 8.x

!! Create the user normally
username BobDobbs password *****

!! Assign the user a static IP.  I use one that is in the same network as the Group's ip pool, but not in the pool.
!! For example if the pool is 192.168.4.2/24 - 192.168.4.60/24, I'd assign this user 192.168.4.61.
username BobDobbs attributes
 vpn-group-policy RA-Client-Policy
 vpn-framed-ip-address x.x.x.x 255.255.255.0

!! Create an ACL which permits the new user's address to do what you want, block them from doing anything else, then allow everyone else (or whatever you deem appropriate)
access-list RA-Client-ACL-01 extended permit ip host x.x.x.x host y.y.y.y
access-list RA-Client-ACL-01 extended deny ip host x.x.x.x any
access-list RA-Client-ACL-01 extended permit ip any any


!! Finally, apply that ACL to the group-policy
group-policy RA-Client-Policy attributes
  vpn-filter value RA-Client-ACL-01
end

Hex to Decimal

Many thanks to Chris Bryant (CCIE #12933) for finally making the decimal to hex conversion easier to understand. Put simply, it's base-16, DUH... It seems obvious, but for some reason this simple fact just didn't sink in until 6:30 this morning.

For example, the hexidecimal number 4A simply means 4 units of 16 plus 10 units of 1, or ((4 * 16)+(10 *1)) which equals 64 + 10 which equals 74.

comments in Vi

Assuming you use a hash mark as a comment delimiter:

comment next 5 lines:  .,+4s/^/#/
comment each line from current line to end of file:  .,$s/^/#/

EIGRP and poison reverse

Today, Stretch posted an interested EIGRP update scenario.  I found myself confused, though, at Step 4 where it says "R3 has a learned of a new path to 0.0.0.0/0 from the reply sent by R2. First, it sends a poison reverse update to R2 for this route."  Why would a router send a poison-reverse update for a route to a neighbor whom originated the route?  Cisco sheds more light

Thanks Stretch.

dynamic backup routes using Cisco's Enhanced Object Tracking

     In this example, routerA has two ethernet interfaces which both connect to service providers. Using traditional static routes with different metrics would only remove the primary route if the interface itself were to go down (i.e. "line is down,protocol is down"). If the S.P. on the primary link had a routing issue or some other problem (janitor tripped over a power cable 200 miles away), routerA needs to update its routing table even though its interface is still up. Enter starge left Cisco's object tracking.

     RouterA has a primary ethernet interface at Fa1/0/1 and a backup at Fa1/0/2. We create a policy map to force pings to a certain address (something close to your critical destinations, or the the Internet at large if there's no specific traffic you want to track) to use the primary interface (no, I don't understand why it's routed to Null 0) and when that fails, it removes the default route. The secondary floating route then takes over.

!!begin sample config
hostname routerA
ip subnet-zero
ip routing
!
ip sla 1
icmp-echo 4.2.2.2
request-data-size 1400
timeout 2000
threshold 2000
frequency 3
ip sla schedule 1 life forever start-time now
!
interface FastEthernet1/0/1
description Primary Link - .1 is the default gateway for this subnet
ip address 172.16.0.2 255.255.255.0
!
interface FastEthernet1/0/2
description Backup Link - 10.0.0.1 is the gateway for this subnet
ip address 10.0.0.2 255.255.255.0
!
ip local policy route-map MY-LOCAL-POLICY
!
access-list 101 permit icmp any host 4.2.2.2
route-map MY-LOCAL-POLICY permit 10
match ip address 101
set interface Null0
set ip next-hop 172.16.0.1
!
ip route 0.0.0.0 0.0.0.0 172.16.0.1 track 100
ip route 0.0.0.0 0.0.0.0 10.0.0.1 254
!
track 100 rtr 1 reachability
!
!! end sample config

Details on Cisco's Enhanced Object Tracking feature can be found at http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html#wp1071672 .

Find the IfIndex ID of a given interface

When you're using SNMP to poll a router for stats on a given interface sometimes you need to know the SNMP IfIndex ID of a given interface. It's easy (example from a 7206 running 12.4(9)T2):

router-1#show snmp mib ifmib ifindex atm1/0.1080       
Interface = ATM1/0.1080, Ifindex = 190

router-1#show snmp mib ifmib ifindex detail atm1/0.1080
Description                     ifIndex  Active  Persistent 
---------------------------------------------------------------

ATM1/0.1080-aal5 layer           190    yes      enabled