Archive for category Windows

Yet another Hairpin: Internet Access from VPN Hub

Firewalls typically don’t hairpin well or at all for that matter,  unless specifically told to do so.  Hair-pinning is when a packet ultimately leaves the same interface it came into.

On a LAN it is somewhat common for packets to “bounce” off of one router interface to get to the right one, a prime candidate for the ICMP Redirect process.  Forget having your Cisco ASA or Pix participate in that little exchange of ICMP messages needed though, Cisco has long held that routing protocols are exploitable and have no place on a firewall (Yes they now speak EIGRP and OSPF, go figure).

The other example of hair-pinning that comes to mind deals with VPNs and Internet Access. The scenario is that a spoke or remote site VPNs to the hub or central site and wants to travel on to the Internet from there.  While it’s tempting to think of a VPN as originating from deep in the firewall the reality is that it is treated as coming from the outside interface.

In short you have to set up NAT for packets that arrive on the outside interface to turnaround and exit through the outside interface. Yes this is counter-intuitive, you have to apply the same NAT-Exempt and NAT statements on the interface as if friendlies were behind you and not the wild woolly Internet.

Assuming you assign VPN addresses from a  pool on; the CLI then looks like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1

nat (outside) 0 access-list outside_nat0
nat (outside) 1

access-list outside_nat0 extended permit ip any
access-list inside_nat0_outbound extended permit ip any <your network>

Also you will need a very important sysopt:

same-security-traffic permit intra-interface

This basically turns on the ability to hair-pin.


, , , , , , , , , ,


Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has (00:1e:4a:87:32:59) tell
arp who-has (00:1d:70:26:3c:53) tell

The address is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

use Net::ARP;
use strict;
use warnings;
for (;;){

‘eth0’, # Device
‘’, # Verizon gateway, not really of course

‘’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
print “packet sent\n”;

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’


, , , , , , , , , ,


How to Install Cisco VPN Client on Windows 7

This appears to be typical of what is needed to get Windows 7 to live with Cisco VPN client:


, , , ,

No Comments

x64 Sagas – AVR Development and Programming

I just assembled the Ladyada Tiny ISP for AVR Atmel microcontrollers,  Easy to build, had my 10 year old son help with the soldering, only one burn to show for it.

You have to use a USBTiny with it and a COM bridge that simulates a null modem between two virtual com ports and have it emulate a null modem connection: Ladyada’s page did a reasonable job of leading through that: as an STK500 emulation.

Vista x64 requires digitally signed drivers and prior to SP1 you could disable this with the command

bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS

This would appear to not work after SP1, I use the Driver Signature Enforcement Overrider (DSEO) available at Essentially you put the system into Test Mode and create a test signature for the driver. I now run with the text “Test Mode” in the corners of all four of my monitors.

Also ran into problems getting WinAVR to run correctly under Vista x64. Basically you need a new msys-1.0.dll and also I recommend not using the standard installation process as the special charcters “()” in the path Program Files (x86) cause conniptions with parts of the WinAVR app and compliation process. Thanks to MadWizard at



(Mostly) No split-tunnel on Cisco VPN Clients

Split tunnel is where the person connected to your corporate network via their VPN can also go willy-nilly to the Internet at the same time.  This is generally considered to be a bad thing, though I have heard a “security consultant” recommend to the customer with me in the room to go ahead and do this because it made it easier for him to connect.

Bad consultant. He should learn about ‘bots, back-doors and virus/worms in general.

However there is an issue with no-split tunnel in the Cisco world, or at least using the VPN client version 5 and the ASA, and at least for trying to be selective.  By that I mean, what if I want to get to one thing locally and tunnel the rest.

The problem appears to be as soon as you don’t “Tunnel Everything” as your selection, and instead use “Tunnel Network List Below” trying to tell it to tunnel “any”, or even something like a wont stop traffic from going to everything behind the local interface.It seems that the /24 of the local wins the most specific route contest against the  ” tunnel this specific /8″ command that gets pushed down.

To use “Tunnel Network List Below” to prevent local traffic, add an entry in the ACL that matches the /24 of the local LAN (assuming it’s a /24, you get the idea).  Now when you display the routing table while the VPNs connected (netstat -nr in windows or unix) you will see the local LAN but also a matching route form the VPN, and it now stands a chance of winning.

See my next post aboput why the access list seemes to be reversed when applying an ACL to a VPN as either a tunnel list or filter list.



Office Live: No MS Deed Goes Unpunished

I agreed to the the installation of the Microsoft Office Live plugin and for that I must be punished.

Now every time I start any Microsoft 2007 Office Application I get the “Get Started with Office Live” window.  Every time.  I don’t even need to check the box saying “Do not show me this message again”, it’s checked for me. Every time.

To eliminate this annoying, useless commercial, simply edit your registry.  That’s right, it’s 1998 all over again.

Here’s  a link how to


, , , ,

No Comments

Dawn of New Technology: Whither Thou Go’est Preemption

I am from the days when we heralded the coming of New Technology, as in NT as in Windows NT.  We lived in a world of round robin process management in the early Windows days, (I am an old designer from Commodore, we used Gates & Allen but on terms defined by Jack Tramiel) which meant that only if a program didn’t crash it would pass execution rights on to the next program to be executed.  Every program had it’s own set of rules for how much time and processor it could use, interrupts suck as keyboard I/O might get a semi-fair chance of getting processed.


An all of that changed with Windows NT, supposedly.


I sit here today with a Windows Vista x64 system, 4 widescreen LCD screens and acceleration out the waz… if only I could find my little SLI connector I could parallel the video card GPUs.  But wait, all is for naught, but only when using a Windows program on a windows OS.


It seems that my Internet Explorer 7 is pretty much non-interruptible.  Once it starts to download a page, clicking the red X won’t stop it, not really.  Occasionally it will ghost the screen to try and get me to stop as if to say that yes it is obeying the keyboard master, but we both know it is continuing to do whatever it wants.  Once it locks up on whatever a page wanted it to do, it’s locked.  I can’t hit back in the middle of a process, it only knows forward.  If it is in a complete idle state it will acknowledge the “please stop” or the “can you go back now, thank you” command.


I am not an average user, maybe average users don’t click the “eliminate preemption” command, if only I could remember doing so.



No Comments