Adding incoming and outgoing access rules on a Cisco ASA

Posted on by ifttt

I’ve just starred a new item in Google Reader

To understand incoming and outgoing rules there are a couple of things to know before you can define your rules. Let’s start with an understanding of traffic flow on an ASA. All incoming rules are meant to define traffic that come inbound to the ASA’s interface. Outgoing is for all traffic that is going outbound of an ASA’s interface. It does not matter which interface it is since this is a matter data flow and each active interface on an ASA will have it’s own unique address.

To try an explain this further let’s say we have and internal interface with an IP address of 10.0.0.1 that is for your local area network to connect to. You can add a permit or deny rule to this interface specifying whether incoming or outgoing  traffic will be permitted or not. This allows you to control what computers can communicate past that interface or not. Essentially you would define most of your rules for the local area network on the internal interface, governing which systems/devices could access the internet, certain protocols, or not.

Now if you know about the basic configuration of an ASA you know that you have to set the security level of the Internal and External ports. So by default these devices allow traffic from a higher security interface to a lower security interface. NAT/PAT will need to be configured depending on if you want to define port traffic for specified protocols.

For this article I will just mention that their are several types of Access Control Lists (ACL) that you can create on an ASA. These types are Standard, Extended, Ethertype, webtype, and IPV6. For this example we will use Extended because most likely that is what most everyone will use the most. With extended ACL not only can you specify IP addresses in the access control list, but you can specify port traffic to match the protocol that might be required.

Lets look at the the examples below:

You will see we are in the configuration terminal mode

ASA(config)# access-list acl extended permit tcp any host 192.0.43.10 eq 80

-So the first part “access-list acl” means the access list will be named “acl”.
-Next you have a choice between type of access list. We are using Extended for this example.
-The next portion is the permit or deny option and we have permit selected for this statement.
-On the next selection that say’s “any” this refers to inside traffic (simply meaning that any internal traffic is allowed). If you dont use any you can specify specific devices by using “host and the IP address like that last part of this ACL statement.
-The next part of this refers to specifying a specific host address of 192.0.43.10 equals port 80.

So this example tells us that our access control list named ACL will allow any inside traffic out the host address of 192.0.43.10 that is internet traffic.

Later you will notice that your statment will look like this on the ASA

ASA(config)access-list acl extended permit tcp any host 192.0.43.10 www
Notice how “eq 80? default http traffic changed automatically to www) This is common on Cisco ASA devices).

from 318 Tech Journal http://techjournal.318.com http://techjournal.318.com/general-technology/adding-incoming-and-outgoing-access-rules-on-a-cisco-asa/

Configuring a Cisco ASA 5505 with the basics

Posted on by ifttt

I’ve just starred a new item in Google Reader

The Cisco ASA 5505 is great for small to medium businesses. Below are the steps you will have to complete to configure your ASA to communicate with the internet. There are many more steps, options, and features to these devices (which later there will be more articles in regards to some of these features).

Bring your device into configuration mode
318ASA>en
Brings the device into enable mode

318ASA#config t
Change to configuration terminal mode

318ASA(config)#
The ASA is now ready to be configured when you see (config)#

Configure the internal interface VLAN (ASA’s use VLAN’s for added security by default)
318ASA(config)# interface Vlan 1

Configure interface VLAN 1
318ASA(config-if)# nameif inside
Name the interface inside

318ASA(config-if)#security-level 100
Set’s the security level to 100

318ASA(config-if)#ip address 192.168.5.1 255.255.255.0
Assign your IP address

318ASA(config-if)#no shut
Make sure the interface is enabled and active

Configure the external interface VLAN (This is your WAN\internet connection)
318ASA(config)#interface Vlan 2
Creates the VLAN2 interface

318ASA(config-if)# nameif outside
Name’s the interface outside

318ASA(config-if)#security-level 0
Assigns the most strict security level to the outside interface (lower the number the higher the security).

318ASA(config-if)#ip address 76.79.219.82 255.255.255.0
Assign your Public Address to the outside interface

318ASA(config-if)#no shut
Enable the outside interface to be active.

Enable and assign the external WAN to Ethernet 0/0 using VLAN2
318ASA(config)#interface Ethernet0/0
Go to the Ethernet 0/0 interface settings

318ASA(config-if)#switchport access vlan 2
Assign the interface to use VLAN2

318ASA(config-if)#no shut
Enable the interface to be active.

Enable and assign the internal LAN interface Ethernet 0/1 (note ports 0/1-0/7 act as a switch but all interfaces are disabled by default).
318ASA(config)#interface Ethernet0/1
Go to the Ethernet 0/1 interface settings

318ASA(config-if)#no shut
Enable the interface to be active.
If you need multiple LAN ports you can do the same for Ethernet0/2 to 0/7.

To have traffic route from LAN to WAN you must configure Network Address Translation on the outside interface
318ASA(config)#global (outside) 1 interface
318ASA(config)#nat (inside) 1 0.0.0.0 0.0.0.0

***NOTE for ASA Version 8.3 and later***
Cisco announced the new Cisco ASA software version 8.3. This version introduces several important configuration changes, especially on the NAT/PAT mechanism. The “global” command is no longer supported. NAT (static and dynamic) and PAT are configured under network objects. The PAT configuration below is for ASA 8.3 and later:

318ASA(config)#nat (inside,outside) dynamic interface

For more info you can reference this article from Cisco with regards to the changes – http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html

Configure the default route (for this example default gateway is 76.79.219.81)
318ASA(config)#route outside 0.0.0.0 0.0.0.0 76.79.219.81 2 1

Last but not least verify and save your configurations. If you do not save your configurations you will have to.

Verify your settings are working. Once you have verified your configurations write to memory to save the configuration. If you do not write to memory your configurations will be lost upon the next reboot.

318ASA(config)#wr mem

from 318 Tech Journal http://techjournal.318.com http://techjournal.318.com/general-technology/configuring-a-cisco-asa-5505-with-the-basics/

Problems with installing/using imapsync on Mac OS X

Posted on by kai

I have done a number of mail server migrations and imapsync has come through with shining colours for me in the past.

I’m moving a client’s email up to Telstra’s hosted Office365 solution and needed a way to push a large amount of email up to it.

After I managed to find the link for an older version of Xcode to install on 10.6, I then downloaded imapsync from fedora hosted and went to install it’s dependancies.

sudo perl -MCPAN -e 'install Mail::IMAPClient'
sudo perl -MCPAN -e 'install Digest::MD5'
sudo perl -MCPAN -e 'install Term::ReadKey'
sudo perl -MCPAN -e 'install IO::Socket::SSL'
sudo perl -MCPAN -e 'install File::Spec'
sudo perl -MCPAN -e 'install Digest::HMAC_MD5'
sudo perl -MCPAN -e 'install Authen::NTLM'

This usually works a treat, however this time around it got stuck installing the Mail::IMAPClient module.

When it was running the tests, it was throwing an error along the lines of this:

Can't call method "at" on unblessed reference at...
# Looks like you planned 41 tests but ran 1.
# Looks like your test exited with 255 just after 1.

It turns out that this is a known bug, not in IMAPClient but in Parse::RecDescent

More info on it is here: https://rt.cpan.org/Public/Bug/Display.html?id=74733

You can either downgrade Parse::RecDescent to an older version, or you can recompile the grammars in Mail::IMAPClient to use the new version. I chose to recompile the grammars in Mail::IMAPCLient

I had to change to the directory where cpan had downloaded the tar ball to, under ~/.cpan and then run the following two commands:

sudo perl -MParse::RecDescent - lib/Mail/IMAPClient/Thread.grammar \
    Mail::IMAPClient::Thread && mv Thread.pm lib/Mail/IMAPClient/
sudo perl -MParse::RecDescent - lib/Mail/IMAPClient/BodyStructure/Parse.grammar \
    Mail::IMAPClient::BodyStructure::Parse && mv Parse.pm lib/Mail/IMAPClient/BodyStructure/

I was then able to install the IMAPClient library successfully and imapsync now works.

 

 

10.7: A look at /etc/authorization usage

Posted on by ifttt

I’ve just starred a new item in Google Reader

The /etc/authorization file in Mac OS X can be used to control access to the various panes of the System Preferences amongst other things. It’s used by some of us Mac Sys Admin’s to give Standard Users access to System Prefs panes that only admins could otherwise unlock. It can also be used in the reverse to lock down panes you don’t want users messing with. An example by Apple was about allowing non-admin users to change the time zone setting. Often the panes can’t be controlled to the exact level you may want via MCX (Local or Managed) or defaults write/plists. Nor do you want to give users admin rights in a large business/university setting.

With 10.6 and now 10.7 the following Preference Panes are locked by default. Meaning you need an admin username and password to unlock them: Security & Privacy, Print & Scan, Network, Sharing, Users & Groups, Parental Controls, Date & Time, Software Update, Time Machine and …

Add to digg
Add to Reddit
Add to Slashdot
Email this Article
Add to StumbleUpon


from MacOSXHints.com http://hints.macworld.com http://www.pheedcontent.com/click.phdo

HP’s User Serviceable All-in-One Workstation

Posted on by ifttt

I’ve just starred a new item in Google Reader

The 27″ monitor opens to expose user-serviceable components designed for no-tools swapping.

The Z1 isn’t even supposed to ship until April, so it’s all just hype right now. But it’s working on me. Will be curious to hear what the early adopters report. [Thanks, Phil!]

HP Z1 Workstation

from MAKE http://blog.makezine.com http://blog.makezine.com/2012/02/28/hps-new-user-serviceable-all-in-one-workstation-class-pc/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+makezineonline+%28MAKE%29

ZFS for Mac OS X — ZEVO

Posted on by ifttt

I’ve just starred a new item in Google Reader

As drives become huge, the risk of data corruption becomes an ever increasing concern. Corruption can be subtle— “bit rot”, bit flips during file transfers, etc, and these can accrete over time.

Read more

from Mac Performance Guide http://macperformanceguide.com http://macperformanceguide.com/blog/2012/20120218_1-ZFS-for-OSX.html

How to give a Mac OS X machine a new Kerberos identity

Posted on by kai

If you’re doing a quick-n-dirty deployment of a few Macs, and instead of building a real SOE, you just build one machine and image it to the others, you can easily end up in a situation where you can only bind one of these machines to Open Directory, as they all have an identical Kerberos identity.

Fortunately it’s pretty easy to reinitialise the Kerberos database on a Mac – simply follow these steps:

In the Utilities folder, open Keychain Access. In the System keychain, find and delete the three com.apple.kerberos.kdc entries – a certificate and a public/private key pair generated from that certificate.

  1. In Terminal, run ‘sudo rm -fr /var/db/krb5kdc’ – this will destroy the local KDC database.
  2. In Terminal, run ‘sudo /usr/libexec/configureLocalKDC’ – this will regenerate the local KDC database, including a new certificate and SHA1 hash.
  3. Bind the machine to OD.