Recently I had to troubleshoot DirectAccess for a customer.
This is the summary of what I did:
1- on public NIC:
- removed the dns settings on public NIC
2- On private NIC:
- change the order of NIC cards, LAN should be above Public in list! (ref #1)
- remove the default GW from Private NIC
3- Fixed IPv6 from previous setup and routing with netsh command
4- Symantec Antivirus had conflict with Windows firewall which is important for DA to work (uninstalled)
5- When they setup CRL (Certificate Revocateion List) url, they had missed "/" in the url and preventing IP-HTTPS to come up (fixed it in DC04 -> CA)
6- The IIS on DA shouldn't have 443 configured (confilcts with DA), [REMOVED]
7- Directory browsing needed to be enabled on DA's IIS, so clients can see /CRLD folder remotely over HTTP.
8- There is a bug in Win2008 which preventing system to accept a new cert once you run the setup in DA! (ref #2)
9- Generating proper certifications for DA and Clients
10- Installing DA connectivity assistant which monitor DA connection and can generate advanced logs.
(configuration has to be done in GroupPolicy editor and documents comes in the setup files) (ref# 5 )
On the client:
1- join the laptop to domain
2- add the computer name to da_clients group
3- make sure the laptop cert is correct,
4- install direct access connectivity assistance
More troubleshooting:
here are 3 methods of communications between clients and server and you can disable one to force
the other one:
1- 6TO4: if user has a public IPv4
netsh interface 6to4>set state state=enabled
netsh interface 6to4>set state state=disabled
netsh interface 6to4> show relay
2- Teredo: if users is behind NAT but has access to UDP port 3544
to disable/enable Teredo to see if it will fail over to IPHTTPS method
netsh interface teredo>set state disabled
netsh interface teredo>set state client 1.2.3.4
netsh interface teredo>show state
ping -6 file01
3- IPHTTPS: if user is behind NAT but no access has given in FW for UDP/3544 (slowest method)
netsh interface httpstunnel show interfaces
Interface IPHTTPSInterface (Group Policy) Parameters
---------------------------------------------------
Role : client
URL : https://da-gw.mydomain.com:443/IPHTTPS
Last Error Code : 0x0
Interface Status : IPHTTPS interface active
On the client:
nslookup -q=aaaa file01.mydoamin.com [ipv6 address of DNS]
ping -6 file01
To monitor IPSec tunnels:
netsh advfirewall monitor show mmsa
netsh advfirewall monitor show qmsa
Ref:
1- blog.concurrency.com/infrastructure/uag-directaccess-ip-addressing-the-server/
2- support.microsoft.com/kb/973982/en-us
3- blogs.technet.com/b/edgeaccessblog/archive/2009/10/27/deep-dive-into-uag-directaccess-certificates.aspx
4- www.techrepublic.com/blog/10things/10-things-you-should-know-about-directaccess/1371
5- www.microsoft.com/download/en/details.aspx?displaylang=en&id=10322
Wednesday, November 16, 2011
Tuesday, November 15, 2011
Callback in Android!
Whenever one class might need notifications of changes in another—
especially if the association changes dynamically, at runtime—consider implementing
the relationship as a callback. If the relationship is not dynamic, consider using
dependency injection—a constructor parameter and a final field—to make the required
relationship permanent.
Programming Android By Zigurd Mednieks (Page 137)
especially if the association changes dynamically, at runtime—consider implementing
the relationship as a callback. If the relationship is not dynamic, consider using
dependency injection—a constructor parameter and a final field—to make the required
relationship permanent.
Programming Android By Zigurd Mednieks (Page 137)
Friday, November 11, 2011
IPSET and IPTABLES
I really need to do more study on ipset . This post is just a reminder for
myself.
Example #1:
ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set --set myset src -j DROP
Example #2:
ipset -N routed_nets nethash
ipset -A routed_nets 10.30.30.0/24
ipset -A routed_nets 10.40.40.0/24
ipset -A routed_nets 192.168.4.0/23
ipset -A routed_nets 172.22.0.0/22
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 \
-m set ! --set routed_nets dst -j MASQUERADE
Ref: Linux Journal (October 2011)
myself.
Example #1:
ipset -N myset iphash
ipset -A myset 1.1.1.1
ipset -A myset 2.2.2.2
iptables -A INPUT -m set --set myset src -j DROP
Example #2:
ipset -N routed_nets nethash
ipset -A routed_nets 10.30.30.0/24
ipset -A routed_nets 10.40.40.0/24
ipset -A routed_nets 192.168.4.0/23
ipset -A routed_nets 172.22.0.0/22
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 \
-m set ! --set routed_nets dst -j MASQUERADE
Ref: Linux Journal (October 2011)
Launch ASDM in Linux
root@ipng:/# cat /bin/asdm
#!/bin/bash
/usr/bin/javaws https://<ASA_IP>/admin/public/asdm.jnlp 2>&1 >/dev/null &
root@ipng:/# chmod u+x /bin/asdm
root@ipng:/# asdm
#!/bin/bash
/usr/bin/javaws https://<ASA_IP>/admin/public/asdm.jnlp 2>&1 >/dev/null &
root@ipng:/# chmod u+x /bin/asdm
root@ipng:/# asdm
Friday, June 17, 2011
Use LDAP Authentication to Assign a Group Policy at Login
Finally after some head scratching, it worked! Now I can permit only AD users belong to
a certainAD group to connect to our ASA by anyconnect client.
If you did some research already, you might already know about step 1 and 2 but
the making work is all about step 3!
Step 1: Define your AD and your profile, explained here:
http://www.block.net.au/blogs/james/pages/active-directory-vpn-authentication-with-a-cisco-asa-5510-series-appliance.aspx
Step 2: The memberOf attribute is mapped to Radius-IETF-Class by the configured LDAP Attibute map:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Note: This part need to be done in CLI:
ciscoasa(config)#ldap attribute-map CISCOMAP
ciscoasa(config-ldap-attribute-map)#map-name memberOf IETF-Radius-Class
ciscoasa(config-ldap-attribute-map)#map-value memberOf CN=Employees,CN=Users,
DC=yourplace,DC=com ExamplePolicy1
Now you can do the rest in ASDM.
Step 3: The Ldap attribute map created in previous steps just bind the group-policy to the user.If you want to restrict the access, you need DAP.
http://www.ciscosystems.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
So now you just need to create a DAP policy to reject users belong to this connection profile
and not part of the AD group:
Troubleshooting:
debug dap trace
debug ldap 255
a certainAD group to connect to our ASA by anyconnect client.
If you did some research already, you might already know about step 1 and 2 but
the making work is all about step 3!
Step 1: Define your AD and your profile, explained here:
http://www.block.net.au/blogs/james/pages/active-directory-vpn-authentication-with-a-cisco-asa-5510-series-appliance.aspx
Step 2: The memberOf attribute is mapped to Radius-IETF-Class by the configured LDAP Attibute map:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Note: This part need to be done in CLI:
ciscoasa(config)#ldap attribute-map CISCOMAP
ciscoasa(config-ldap-attribute-map)#map-name memberOf IETF-Radius-Class
ciscoasa(config-ldap-attribute-map)#map-value memberOf CN=Employees,CN=Users,
DC=yourplace,DC=com ExamplePolicy1
Now you can do the rest in ASDM.
Step 3: The Ldap attribute map created in previous steps just bind the group-policy to the user.If you want to restrict the access, you need DAP.
http://www.ciscosystems.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
So now you just need to create a DAP policy to reject users belong to this connection profile
and not part of the AD group:
Troubleshooting:
debug dap trace
debug ldap 255
Friday, April 15, 2011
Sendmail and Ignoring MX
/etc/mail/service.switch
Busy for hours to troubleshoot a sendmail(Centos5.5) to find out
why it insists on trying to deliver mail directly to A record addresses
rather than via MX records. I was lucky that Peter documented
his solution in 2002 so I can use it 9 years later!
http://goo.gl/idJKG
Thanks Peter!
I saw this command and wonder if I could have used it: echo '3,0 student@sub.domain.edu' | sendmail -bt
Busy for hours to troubleshoot a sendmail(Centos5.5) to find out
why it insists on trying to deliver mail directly to A record addresses
rather than via MX records. I was lucky that Peter documented
his solution in 2002 so I can use it 9 years later!
http://goo.gl/idJKG
Thanks Peter!
I saw this command and wonder if I could have used it: echo '3,0 student@sub.domain.edu' | sendmail -bt
Tuesday, April 12, 2011
Finally Working GNS3 ASA/ASDM6.31 on Ubuntu 10 & 11
I was struggling to tftp asdm-631.bin file to a running ASA and keep getting an error message
right after uploading 2MB! So, I found a way to transfer it offline!
On your machine that runs GNS3,
$ sudo -i
(find the GNS3 tmp file for your ASA)
Turn off ASA1 (I assumed you are working on ASA1)
# cd /opt/GNS3/tmp/ASA1
# rename/delete the current FLASH (you will loose all the modifications!)
# qemu-img create FLASH 256M
# qemu-img info /opt/GNS3/tmp/ASA1/FLASH
Turn it on and let the FLASH get initialized and then turn it back off.
# losetup /dev/loop0 FLASH
# kpartx -av /dev/loop0
# ls -alF /dev/mapper/
# mkdir test
# mount /dev/mapper/loop0p1 test/
# cp /root/asdm-631.bin test/lina-data/1/soft/
# umount test/
# sync
# kpartx -d /dev/loop0
# losetup /dev/loop0 -d
Start ASA1 and you should be able to see ASDM file on your flash!
and can be configure your ASA for ASDM access.
Ref:
------------------------------------------------------------------------------------------------------
http://goo.gl/1I1rA (mount a qemu image)
http://goo.gl/C6JcS (how to emulate ASA8.0(2) without proxy!)
http://goo.gl/c3aRl (patch compile qemu0.13+UDP patch)
http://goo.gl/90STb (recompile kernel / set HZ=1000)
Original Issue:
------------------------------------------------------------------------------------------------------
Accessing tftp://10.10.10.1/asdm631.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm631.bin...
Losing too many ticks!
TSC cannot be used as a timesource.
Possible reasons for this are:
You're running with Speedstep,
You don't have DMA enabled for your hard disk (see hdparm),
Incorrect TSC synchronization on an SMP system (see dmesg).
Falling back to a sane timesource now.
right after uploading 2MB! So, I found a way to transfer it offline!
On your machine that runs GNS3,
$ sudo -i
(find the GNS3 tmp file for your ASA)
Turn off ASA1 (I assumed you are working on ASA1)
# cd /opt/GNS3/tmp/ASA1
# rename/delete the current FLASH (you will loose all the modifications!)
# qemu-img create FLASH 256M
# qemu-img info /opt/GNS3/tmp/ASA1/FLASH
Turn it on and let the FLASH get initialized and then turn it back off.
# losetup /dev/loop0 FLASH
# kpartx -av /dev/loop0
# ls -alF /dev/mapper/
# mkdir test
# mount /dev/mapper/loop0p1 test/
# cp /root/asdm-631.bin test/lina-data/1/soft/
# umount test/
# sync
# kpartx -d /dev/loop0
# losetup /dev/loop0 -d
Start ASA1 and you should be able to see ASDM file on your flash!
and can be configure your ASA for ASDM access.
Ref:
------------------------------------------------------------------------------------------------------
http://goo.gl/1I1rA (mount a qemu image)
http://goo.gl/C6JcS (how to emulate ASA8.0(2) without proxy!)
http://goo.gl/c3aRl (patch compile qemu0.13+UDP patch)
http://goo.gl/90STb (recompile kernel / set HZ=1000)
Original Issue:
------------------------------------------------------------------------------------------------------
Accessing tftp://10.10.10.1/asdm631.bin...!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Writing file disk0:/asdm631.bin...
Losing too many ticks!
TSC cannot be used as a timesource.
Possible reasons for this are:
You're running with Speedstep,
You don't have DMA enabled for your hard disk (see hdparm),
Incorrect TSC synchronization on an SMP system (see dmesg).
Falling back to a sane timesource now.
Subscribe to:
Posts (Atom)