Archive for category Vista

Yet another Hairpin: Internet Access from VPN Hub

Firewalls typically don’t hairpin well or at all for that matter,  unless specifically told to do so.  Hair-pinning is when a packet ultimately leaves the same interface it came into.

On a LAN it is somewhat common for packets to “bounce” off of one router interface to get to the right one, a prime candidate for the ICMP Redirect process.  Forget having your Cisco ASA or Pix participate in that little exchange of ICMP messages needed though, Cisco has long held that routing protocols are exploitable and have no place on a firewall (Yes they now speak EIGRP and OSPF, go figure).

The other example of hair-pinning that comes to mind deals with VPNs and Internet Access. The scenario is that a spoke or remote site VPNs to the hub or central site and wants to travel on to the Internet from there.  While it’s tempting to think of a VPN as originating from deep in the firewall the reality is that it is treated as coming from the outside interface.

In short you have to set up NAT for packets that arrive on the outside interface to turnaround and exit through the outside interface. Yes this is counter-intuitive, you have to apply the same NAT-Exempt and NAT statements on the interface as if friendlies were behind you and not the wild woolly Internet.

Assuming you assign VPN addresses from a  pool on 172.16.0.0/24; the CLI then looks like this:

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0
nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list outside_nat0
nat (outside) 1 10.17.0.0 255.255.255.0

access-list outside_nat0 extended permit ip any 172.16.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any <your network>

Also you will need a very important sysopt:

same-security-traffic permit intra-interface

This basically turns on the ability to hair-pin.

Share

, , , , , , , , , ,

2 Comments

Cisco VPN X64 support…. or not.

Okay, if you read this http://www.cisco.com/web/software/282364316/31835/5.0.07.0240-beta-rel-notes.txt it says that x64 support for Windows 7 and Vista is finally here.  It’s just that it also says that 64 bit isn’t supported.

Share

, , ,

No Comments

Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to DSLReports.com, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has 98.109.50.34 (00:1e:4a:87:32:59) tell 0.0.0.0
arp who-has 98.109.50.35 (00:1d:70:26:3c:53) tell 0.0.0.0

The address 0.0.0.0 is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from 0.0.0.0 They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply 98.109.50.36 is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

#!/usr/bin/perl
use Net::ARP;
use strict;
use warnings;
for (;;){
Net::ARP::send_packet(

‘eth0’, # Device
‘98.109.50.1’, # Verizon gateway, not really 0.0.0.0 of course

‘98.109.50.36’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
)
;
print “packet sent\n”;
sleep(30);
}

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’

Share

, , , , , , , , , ,

10 Comments

How to Install Cisco VPN Client on Windows 7

This appears to be typical of what is needed to get Windows 7 to live with Cisco VPN client:
http://weblogs.asp.net/bhouse/archive/2009/01/15/how-to-successfully-install-cisco-vpn-client-on-windows-7.aspx

Share

, , , ,

No Comments

x64 Sagas, SLO (Silly Little Obsolescence)

In the Silly Little Obsolescence department: I did not really expect to have to deal with such a trivial thing that ain’t so trivial.  I have to trash my Canon n650U Canoscan flatbed scanner because there are no x64 drivers for it.  It sits on the other side of USB, and the width of the native driver is an issue.

Normally I deal with a little extra effort when trying something like x64 but this is just silly, I would more fully expect my video card to have hemroids than to throw away the scanner that I only use once a month.

Just to be sure I called Canon, they waived the $9 fee to tell me I was SOL.

Bil

Share

1 Comment

x64 Sagas – AVR Development and Programming

I just assembled the Ladyada Tiny ISP for AVR Atmel microcontrollers, http://www.ladyada.net/make/usbtinyisp/.  Easy to build, had my 10 year old son help with the soldering, only one burn to show for it.

You have to use a USBTiny with it and a COM bridge that simulates a null modem between two virtual com ports and have it emulate a null modem connection: Ladyada’s page did a reasonable job of leading through that: http://www.ladyada.net/make/usbtinyisp/stk500compat.html as an STK500 emulation.

Vista x64 requires digitally signed drivers and prior to SP1 you could disable this with the command

bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS

This would appear to not work after SP1, I use the Driver Signature Enforcement Overrider (DSEO) available at http://www.ngohq.com/home.php?page=Files&go=cat&dwn_cat_id=34) Essentially you put the system into Test Mode and create a test signature for the driver. I now run with the text “Test Mode” in the corners of all four of my monitors.


Also ran into problems getting WinAVR to run correctly under Vista x64. Basically you need a new msys-1.0.dll and also I recommend not using the standard installation process as the special charcters “()” in the path Program Files (x86) cause conniptions with parts of the WinAVR app and compliation process. Thanks to MadWizard at http://www.madwizard.org/electronics/articles/winavrvista

Share

2 Comments

(Mostly) No split-tunnel on Cisco VPN Clients

Split tunnel is where the person connected to your corporate network via their VPN can also go willy-nilly to the Internet at the same time.  This is generally considered to be a bad thing, though I have heard a “security consultant” recommend to the customer with me in the room to go ahead and do this because it made it easier for him to connect.

Bad consultant. He should learn about ‘bots, back-doors and virus/worms in general.

However there is an issue with no-split tunnel in the Cisco world, or at least using the VPN client version 5 and the ASA, and at least for trying to be selective.  By that I mean, what if I want to get to one thing locally and tunnel the rest.

The problem appears to be as soon as you don’t “Tunnel Everything” as your selection, and instead use “Tunnel Network List Below” trying to tell it to tunnel “any”, 0.0.0.0/0 or even something like a 10.0.0.0/8 wont stop traffic from going to everything behind the local interface.It seems that the /24 of the local wins the most specific route contest against the  ” tunnel this specific /8″ command that gets pushed down.

To use “Tunnel Network List Below” to prevent local traffic, add an entry in the ACL that matches the /24 of the local LAN (assuming it’s a /24, you get the idea).  Now when you display the routing table while the VPNs connected (netstat -nr in windows or unix) you will see the local LAN but also a matching route form the VPN, and it now stands a chance of winning.

See my next post aboput why the access list seemes to be reversed when applying an ACL to a VPN as either a tunnel list or filter list.

Share

2 Comments

Dawn of New Technology: Whither Thou Go’est Preemption

I am from the days when we heralded the coming of New Technology, as in NT as in Windows NT.  We lived in a world of round robin process management in the early Windows days, (I am an old designer from Commodore, we used Gates & Allen but on terms defined by Jack Tramiel) which meant that only if a program didn’t crash it would pass execution rights on to the next program to be executed.  Every program had it’s own set of rules for how much time and processor it could use, interrupts suck as keyboard I/O might get a semi-fair chance of getting processed.

 

An all of that changed with Windows NT, supposedly.

 

I sit here today with a Windows Vista x64 system, 4 widescreen LCD screens and acceleration out the waz… if only I could find my little SLI connector I could parallel the video card GPUs.  But wait, all is for naught, but only when using a Windows program on a windows OS.

 

It seems that my Internet Explorer 7 is pretty much non-interruptible.  Once it starts to download a page, clicking the red X won’t stop it, not really.  Occasionally it will ghost the screen to try and get me to stop as if to say that yes it is obeying the keyboard master, but we both know it is continuing to do whatever it wants.  Once it locks up on whatever a page wanted it to do, it’s locked.  I can’t hit back in the middle of a process, it only knows forward.  If it is in a complete idle state it will acknowledge the “please stop” or the “can you go back now, thank you” command.

 

I am not an average user, maybe average users don’t click the “eliminate preemption” command, if only I could remember doing so.

 

Share

No Comments