Wednesday, February 22, 2012

ASA 8.3+ / Exchange Edge in DMZ Example

confronted with a totally redesign of the NAT commands, and a fuzzy understanding of how ACLs work on non-outside interfaces, I spent a good 6-8 hours on this task.  something tells me there's a more elegant way to do this w/o the ACL dmz_access_in.  The beauty of the CLI is that it will on ly take about 15 minutes to execute from here on out for future projects!  cheers-

!
ASA Version 8.4(2)
!
!

!disable ESMTP fixup or you will get comm errors between the exchange servers

policy-map global_policy
class inspection_default
no inspect esmtp

!
interface Vlan1
 nameif inside
 security-level 100
 ip address %InsideInterfaceIP% 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address %OutsideInterfaceIP% 255.255.255.248
!
interface Vlan90
 nameif DMZ
 security-level 50
 ip address %DmzInterfaceIP% 255.255.255.0

object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network %obj-InsideSubnet%
 subnet %InsideSubnet%
object network %obj-DmzSubnet%
 subnet %DmzSubnet%
object network Exch-Edge
 host %ExchangeEdgeServerIP%
object network Exch-Hub
 host %ExchangeHubServerIP%

access-list dmz_allow_in extended permit tcp object Exch-Edge object Exch-Hub eq smtp
access-list dmz_allow_in extended permit tcp object Exch-Edge object Exch-Hub eq 50389
access-list dmz_allow_in extended deny ip object %obj-DmzSubnet% object %obj-InsideSubnet%

access-list dmz_allow_in extended permit ip object %obj-DmzSubnet% any
access-list outside_access_in extended permit tcp any object Exch-Edge eq smtp

object network %obj-InsideSubnet%
 nat (inside,outside) dynamic interface
object network obj-10.0.8.0
 nat (inside,outside) dynamic interface
object network %obj-DmzSubnet%
 nat (DMZ,outside) dynamic interface
object network Exch-Edge
 nat (DMZ,outside) static %AvailablePublicIPAddress%
object network Exch-Hub
 nat (inside,DMZ) static Exch-Hub service tcp smtp smtp

access-group outside_access_in in interface outside
access-group dmz_allow_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 %DefaultGateway% 1

----------------

On the Hub server, execute the following in powershell:

Test-EdgeSynchronization
 
you should get something like: 
 
RunspaceId                  : 37d7fde9-8ed4-48d6-a90c-f0c9255b1d13
SyncStatus                  : Normal
UtcNow                      : 2/23/2012 7:05:39 PM
Name                        : EdgeServerName
LeaseHolder                 : CN=,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrati
                              ve Groups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=LeaseType                   : Option
FailureDetail               :
LeaseExpiryUtc              : 2/23/2012 7:34:29 PM
LastSynchronizedUtc         : 2/23/2012 7:04:29 PM
TransportServerStatus       : Skipped
TransportConfigStatus       : Skipped
AcceptedDomainStatus        : Skipped
RemoteDomainStatus          : Skipped
SendConnectorStatus         : Skipped
MessageClassificationStatus : Skipped
RecipientStatus             : Skipped
CredentialRecords           : Number of credentials 3
CookieRecords               : Number of cookies 2 

Sunday, March 27, 2011

Connecting to a Hyper-V connected to a domain from your workstation via VPN

http://dannythorpe.com/2008/06/21/hyper-v-remote-management-workgroup-vista-client-to-domain-bound-server/

Thursday, May 27, 2010

Open-Audit

what kind of hardware specs comprise the boxes on my network?  namely RAM, CPU, hard disk space, etc.

for answers to those questions and more, turn to our new favorite auditing system:  Open-Audit.

This took a bit of finagling, but once setup, we were most happy with the results.  What took me a few hours to figure out and document has been distilled to a setup that should take ~15 minutes.  Enjoy!

==============================================================


SETUP://

install XAMPP:  http://www.apachefriends.org/en/xampp-windows.html and accept all the defaults during the setup routine

if the machine you are installing to is already running a websever (eg IIS), you will need to change the port before starting up the service by modifying:

C:\xampp\apache\conf\httpd.conf

start up both APACHE & MYSQL using the XAMPP control panel

-Change all the port 80 --> 8080 or something

download Open-Audit and extract the meat to c:\xampp\htdocs\openaudit  (the end result--you should see a ton of PHP files in this folder)

open a web browser to:  http://localhost:8080/openaudit/setup.php

-just click next all the way through

==============================================================

CONFIGURE AUDIT://

edit C:\xampp\htdocs\openaudit\scripts\audit.config.  look for the following lines and modify appropriately:

'
' Standard audit section
'
audit_location = "l"
audit_host="http://SERVERNAME:8080"

audit_local_domain = "y"
'
local_domain = "LDAP://Domain.local"
'
' Nmap section
'
nmap_tmp_cleanup = true           ' Set this false if you want to leave the tmp files for analysis in your tmp folder
nmap_subnet = "172.22.4.."            ' The subnet you wish to scan
nmap_subnet_formatted = "172.022.004."    ' The subnet padded with 0's

==============================================================

INITIATE AUDIT://

C:\xampp\htdocs\openaudit\scripts> CSCRIPT audit.vbs

Saturday, May 1, 2010

i'm a tool


i have been blessed/cursed with a mind that is incessantly trying to figure things out.  i see a fountain in the park and instantly questions arise:  is water is fresh?  how is the water is being pumped up to the top of the fountain?  how big of a pump does it take move that much water?  is there more than one pump?  do kids throw coins into the fountain?  does someone regularly clean out the coins?  how does the city handle the 'proceeds' from the fountain?  do they have to chlorinate the water?  how much water does the fountain hold? and on and on and on.

its not good enough to know how it works, i want to know how the system works all the way down to the basic elements.  in an ideal world, i would like to know enough about a system so that i can instinctively know what the basic pieces of the system are doing for any particular output.

clearly there are some systems that i want to know more about that others.  computers & networking for example, have always fascinated me.  i want to know what makes them tick, and want to understand the why and the how of it all.  i think that's what makes me good at my job.  when i encounter a problem, i want to know how the problem came to be, and understand how all the variables played a part in creating it.  oftentimes, i resort to workarounds or just don't have the energy to do it because i'm burned out, but if there were no time constraints it would give me comfort in getting to the root cause of them all.

another system that i'm very curious about is earth's biosphere.  specifically the role of the male gender of species homo genus sapiens.

here are some things that i find fascinating:

in higher life forms, there are two sexes, male & female
new life is by default female, it requires an external trigger to start a chain of events to create a male
therefore males are more specialized version of the species

specialized to what end?  for war with all the other males mostly if you look at the male competition for  females in nature.

gentlemen, i take no pleasure in telling you this, but the human male is built for war.  war can assume many different forms, physical war (guns, swords), mental war (politicking), and on some levels i'm sure.

so how does my life fit into all of this?  i feel that males are a specialized form of the human species.  take a female brain, mitigate the emotive sources, tune it to solve problems, remove the child bearing systems to increase physical performance and you end up with a man.

the way i see it, we were created by women to serve them.  the sole reason for your existence is to provide for a woman.

Saturday, April 17, 2010

Monday, April 5, 2010

Weekend Athlete!

i'm doing my 1st triathalon april 25th. it's a sprint and i've been training hard to stay out of the bottom fourth.

to lug my bike around, i'm using a 2002 lexus is300 sportcross. i have really enjoyed this car, but i'm always apprehensive to transport the bikes (especially the mountain bike) since i feel like the carpeting is getting trashed.

i'm thankful for the hatch and fold down seats, but loading/unloading the bike (or bikeS for that matter) is never a task  i look forward to. so--i'm seriously considering a Honda Element.

while doing research, i found the most rad site. cars.com has a guy that reviews sport utility vehicles from the perspective of the weekend athlete. check it out here.
of course he found the element THE most weekend athlete friendly car. here's what i love about it:

1) the interior is hoseable--rubber mats are there to handle muddy tires
2) you can stow your bikes vertically inside
3) it has a tailgate
4) it handles like a car
5) if you lay down the front and back seats, they form a nice impromptu bed to chill out on.
6) supposedly the seats are comfortable for long distance treks.

oh and my favorite--a crotchrocket will fit inside!!  (one of my dreams is to race a motorcycle around a proper track)

without further adieu--here's the review!


"error sending" or "authorization error" scanning from a Brother MFC 8480


installed the 3/2010 firmware update and beat my head against trying to get it to scan to a UNC path for an hour. you never know what kind of funky syntax the different vendors want. one time on a Canon Aficio, i had to enter the domain name in ALL CAPS. so i tried all kinds of combinations of slashes after the path, before the path, yada yada yada.

i gave up and called support. turns out that Brother is aware of this issue and that they are working on a patch.

in terms of features, i like what this unit offers. it has a nice and large LED panel which provides intuitive access to up to 10 SCAN TO destinations, and provides the standard copy/fax functions of course.

You can assign any of the 'scan to' slots to a respective UNC path or FTP server.

simple & straight-forward scanning to a share--the only way to do it. HP--you guys should learn a lesson from these other guys.