Techienoobie

How to Hack a WPA Wireless Network (Wifi) using Aircrack-ng and John the Ripper

2015-02-13T10:15:00.001+08:00

Here is a video tutorial I created showing how easy it is to hack a wireless network using WPA keys for their security. It's a short 12 minute video and I hope you find it not only instructional, but also liberating. After all, informed people make the best decisions.

John the Ripper (JtR) cracks passwords offline. That is, "incorrect number of passwords entered limit" does not affect JtR. As you can see in the video, using aireplay-ng, fake deauthentication packets were injected to the wireless access point to force all users to reauthenticate (without them knowing it). During reauthentication, the WPA keys are exchanged between the client and the wireless access point. This exchange was recorded into a file "wificrack.cap" and the hashed PSK (Pre-Shared Key) was then cracked using JtR. In the video, you can also see that the output file of airodump-ng can be opened using Wireshark. Opening the cap file with Wireshark reveals a lot of information about the clients connected to the wireless access point. For instance, we know the wireless AP is a Cisco-Li (Cisco-Linksys), and the WPA handshake captured was from an Apple device. The MAC address is even shown!

The objective of this tutorial is to show everyone how to easily hack a wifi, when everyone knows how, they can start thinking of ways to mitigate, or avoid being hacked. A few of the things you can do are:

1. Never use a password that is common. Common passwords are birthdays, the words passwords, famous movie characters (regardless of what era they are, such as Obiwankenobi, Master Yoda, AttilatheHun, etc.) adding numbers to them doesn't make the password difficult to crack. Maybe you added an additional 15 minutes to the time it takes to crack the weak password without appending any special characters to them.

2. Never trust websites (including your own bank sites) that do not use two-factor authentication. two factor authentication are those that require a secondary authentication to gain access (such as a SMS code, or a RSA token key). If your back or credit card websites don't use two-factor authentication, simply do not use it.

3. In your wifi, use passwords that are greater than 8 characters in length, with a capital letter, special characters, and some numbers.

4. This is not in the video, but do not use WPS and WEP keys in your Wifi. Just use WPA or WPA2 on AES. Reaver can be used to hack through WPS (Wifi-Protected Set-up) in your Wifi. WPS is less secure than WPA, while WEP is the least secure Wifi authentication method.

Freeing Disk Space in Kali Linux (Basic steps), Especially the apt-get Cache

2015-02-04T12:08:00.000+08:00

Kali is a Debian-based Linux developed with penetration-testers in mind. Think of it as a toolbox. It is basically a Debian Linux, but with all the penetration testing tools installed, for free. This includes Metasploit, OpenVAS vulnerability scanners, exploitDB, Hydra, aircrack-ng, John the Ripper, etc. These come on top Linux's common formidable tools such as OpenSSH (for creating tunnels), netcat, and nmap to name a few.

Since Kali is Debian, then the method used here do apply to any Debian-based Linux systems (+ Ubuntu). Although, since we are talking about Kali, which is usually ran as 'root', then most of the screenshots will show that the user is running the commands as root. If you are not logged in as root, just add the word 'sudo' in the beginning of every command. For example: instead of issueing command 'apt-get clean', type 'sudo apt-get clean'.

Let us assume, you get an error in your Kali Linux saying that you are running out of space. In the screenshot below, My Kali is running on Oracle VirtualBox with a dynamically allocated 15Gb of space. Technically I don't have to worry about disk space because the Virtual Disk will expand when needed. But I still want to free some space.

You get an error that you are running on disk space. Kali

Step 1: Check Disk space and where you are consuming space the most. Use df -h. the '-h' option in df is to format the result in 'human-readable' format.

df -h results show the entire disk is "full"

In this example, it seems the entire disk (virtual disk) is full. But we still need to know what folders are the largest, etc. So we use the Linux Disk Utility du.

Step 2: Use 'du' to show the top 10-30 consumers of space. You can use this iteratively going from one folder then digging deeper into its subfolders until you are satisfied that you have pinpointed what folders you need to remove/purge in order to free space.

first du attempt is from the '/' top folder.

The syntax is:

du <directory> -ka | sort -n -r | head -n<number to show>

The options explained:

-ka: -k forces du to count in kilobyte blocks. while -a forces du to count all files, not just folders/subdirectories. We need -k becase the "sort" pipe cannot distinguish between bytes, KB, MB, GB, etc. It only sorts based on the numbers from largest to lowest (or vice versa).
sort: sorts a text output. -n instructs sort to sort numerically (by string numbers), while -r instructs sort to show the output in reverse (instead of from lowest to highest, it will be sorted from highest to lowest.
Lastly head instructs the IO to output only the top 10 (by default), and not to show the rest. the -n<#> changes the output from the default 10, to the number specified.

In our example above, it is clear that /user and /var/cache are the two largest folders. We can iterate through du to check the subfolders inside /usr and /var/cache that contributes most to disk space.

the du (sorted) results for var/cache

The du results for var/cache (shown in the right) reveals that it is the apt-get archives that are consuming too much space. Specifically the metapsloit framework archives.

note: before I wrote this article, I already know that I need to purge the apt-get cache. the apt-get cache really does tend to get big especially if you are upgrading without the 'autoremove' option. But the article shows a series of repeatable steps to be performed, in case its not the apt-cache that is the culprit.

Step 3: Proceed to delete the files. You can use rm -rf <file_name> to remove the files. you can even use wildcards such as * and ?.For example, you can delete rm -rf /home/archives/* to delete everything in /home/archives.

However, since we are dealing with the apt-get archives/cache, there is a safer way of dealing with it instead of doing a rm -rf. Use apt-get clean, or apt-get autoclean. Here's the difference:

apt-get clean removes all packages downloaded (even those not yet installed) except those locked packages in /var/apt/cache/archives and /var/apt/cache/archives/partial.
apt-get autoclean is a little smarter. It removes old packages and archives which are unlikely to be used. For example, outdated packages where a new package is already downloaded. Although, autoclean removes less archives in the apt-get cache, then clean.

apt-get clean does not show an output, but a quick df -h reveals significant space have been removed.

Step 4: Verify the process and if necessary repeat steps 1-3. As shown in the picture above, verify by doing df -h again (step 1), and doing another iterative set of du (step 2). Do steps 1-3 repeatedly until you are satisfied you have purged all the unwanted files.

Another du head in /var/cache reveals we successfully purged the metasploit archives, and other var/cache apt files. We can continue to delete other /var/cache files as necessary if we have not yet freed enough disk space.

Practical Advice in Pursuing the Project Management Professional (PMP) Credential

2015-01-27T21:18:00.003+08:00

Recently, I became a Project Management Professional (PMP) credential holder. I personally find the exam tough and the entire process stringent. Thus, I consider this achievement a milestone in my career.

In this blog, I will give advice, based on my own experience, how one can maximize the effort, and financial resources required to achieve the credential.

Just recently somebody asked me what my foremost advice would be if someone is seriously working into achieving the PMP certification. My foremost advice is also the most obvious.

1. Become a member of Project Management Institute (PMI). The benefits of membership are numerous. First, you get an immediate savings of approximately $10.00 in your application fee. The application fee for CBT (Computer Based Test) is $405 for members, and $555 for non members. To become a member, you are charged some $140 membership fee. Thus, in all, a new PMI member PMP applicant is charged $545, versus $555 for non-members. BUT (the big BUT), as a member you get free access to the Project Management Book of Knowledge (PMBok), latest edition, which is the basis of 90% of the PMP exam questions. Also, as a PMI member, you get access to the MyPMI dashboard (a portion of which is shown above). The dashboard makes it easy for you to apply for the credential online. Applying online is a big relief. PMI requires you to fulfill 4,500 project hours for degree holders, or 7,500 project hours for secondary school (high school) diploma holders. These project hours should have spanned all five process groups (initiating, planning, executing, monitoring and controlling, closing); and they have to be non-overlapping. These hours also need to be logged for each project, and confirmed by your direct supervisor.

I had a colleague who did the project hours logging using PMI paper forms. They are tedious, and tend to be messy. . The online application form is cleaner (shown in the right), and makes it easier for you to track if you already reached the required number of hours to apply for the credential.

Which brings me to my next advice.

2. Make sure to log your project hours accurately, and discuss the project description with your manager. The application process allows for certain liberties, after all the project hours are estimations. But if your application is selected for audit, your manager will be required to confirm (by a signature, with comments on a sealed envelop) your application - particularly the project hours, duration, and description. This also means...

3. Do note lie in your application. According to PMI, only a small percentage of applications are audited. But if you are selected for an audit, you have 90 days to complete the audit requirements such as: sealed signed confirmation from each of your project's direct supervising manager/lead, a copy of your diploma, etc. They are easy to cheat -- yes, but on occasion PMI do call your referees. Thus, it is advisable to discuss the project description in your application to your project's direct supervisor before you hit the "submit button". You can actually print your incomplete online application form in PDF format. Use this feature to print your application, and discuss with all stakeholders if the hours and project description logged is accurate as per their recollection. Being transparent with your bosses and getting their approval of your application is audit-fail-proof.

4. Read the PmBOK 5th edition from cover to cover, including the X.1 appendices. Also read the PMI code of conduct/ethics. When I took the exam, 90% of the questions are in the PMBok 5th edition. If you already read the PMBok, make sure you read, and UNDERSTOOD everything, including the appendices. Some form of memorization may be required, but a good command of the entire concept is needed to pass the exam. I passed the exam on the first take, but I did took the time to understand the concept, not just memorize them.

For example, remember the difference between the 'Perform Quality Assurance' process, and the 'Control Quality' processes. Quality audits are in the former, while inspection is a technique in the latter. If you ask me how I remembered it until the exam, its simple.... I took note of the key concepts on each process, including the ITTO (Input, Tools and Techniques, Output). In my example, the key concept to remember is that the 'Perform Quality Assurance' is concerned about auditing if the project team is applying the process correctly as planned, and according to your company's guideline; while 'Control Quality' is concerned if the project's products are as per the requirements.

So let me test you, after briefly discussing the difference between the two processes, can you differentiate between Validate Scope, Control Scope, and Control Quality? Which comes first, validate scope, or control scope?

There are other questions which you may think are not in the PMBoK Guide, but its there. If you already read the PMBok guide, would you know the difference between a standard and a regulation? Also, is the Project Management Body of Knowledge (aka PMBoK) a standard, or a regulation? Is it a methodology? The answer is in the PMBoK guide --  it is in the appendices! And YES, you will encounter these kind of questions in the exam. So read the entire guide, along with the appendices. Questions such as, "what are process inputs, and process outputs and how did PMI define process inputs and outputs" are in the exam, and they are in the PMBoK appendices.

While you're at it, also download the PMI lexicon, which is also a benefit of PMI members. you don't need to memorize every definition, but it comes in handy when reviewing definition of terms.

5. Practice tests are invaluable. Get your hands to as many practice questions as you can. Make sure you understand the answers especially those you got incorrect. There are a lot of free exam simulators out there. My personal favorite is http://www.pm-exam-simulator.com. What's good with pm-exam-simulator is that it does simulate the actual online exam, the look, the feel, the timer, etc. It was cool. The exam questions are also tough. I didn't pass any of them. But I did pass the actual exam.

There is also the PMWars segment at ProjectManagement.com. It's a good way to practice yourself in PMBoK concepts. Note that ProjectManagement.com is also managed by PMI so the PMWars questions are the kind you would expect in the exam.

There are also cheap simulators for iPad/iPhone/android - they are often cheaper than their online / PC counterparts. For my iDevices, I bought PMP Trainer for $10.00. It had 800+ questions, there is a study/trainer mode, and a 200-item exam simulator mode. For $10, it was a steal. When buying tablet/mobile phone PMP reviewers and simulators, check the time the application was last updated. Make sure it was updated recently to ensure that the exam questions are in line with the recent PMBok edition.

I did say that 90% of the exam are in the PMBoK Guide 5th edition. However, 10% of the questions aren't. They are usually found in some other management books, etc. Getting your hands into as many PMP quizzes and exams online. When you encounter a question from a simulator which is not in the PMBoK Guide, stop for a moment to take note of the question, then make sure you do additional readings regarding the subject. Usually, these concepts are mentioned briefly in the PMBoK guide but are not discussed thoroughly. Thus, it is very important to get your hands on every PMP quiz/test/simulator you can possibly get.

Lastly, make sure you are exposed to three or more exam preparation quiz/simulator. Most applications or simulators are biased on a particular subject and may phrase questions similarly. to avoid this bias, go through at least three different simulators. They need not be expensive. In my case, I bought one, and the two others are free.

6. Schedule the exam no more than one month after you reached a high degree of confidence that you will pass the exam. Either many people don't know this, or we are just accustomed to completing a task ASAP. After you get the confirmation email that your application has been verified and you can now schedule the exam, you actually don't have to rush to schedule the exam. You can wait... for the right time.

The exam is tough. It is composed of 200 questions, mostly situational kinds where at least 2 of the 4 choices seem correct. It will also test your knowledge of the PMI Project Management standard as outlined in the PMBoK. Questions like

"Jeff just finished the project charter, what should he do next: a. identify the team, b. develop the project scope statement, c. identify stakeholders, d. start collecting the requirements."

You should get used to seeing these questions (and answering them correctly). Once you start getting at least 80% in tough test-simulator exams, then its time to schedule the exam. Schedule the exam at most one month from the time your confidence level is already high. Once the exam is scheduled, continue to increase your review cycle, until 3-5 days before the exam, by which time, you should start easing down.

Goodluck and Happy Hunting!

How to configure TFTP Server in your Linux Machine (Debian), and how to solve Permission Denied Error (Error Code 2)

2014-06-13T15:14:00.001+08:00

I personally use a Virtualized Kali Linux in my Windows 7 machine to do a lot of things. Primarily to do IT security analysis and research for the companies I work with. But mostly, I find maintaining a Linux machine in an image comes in handy for a lot of things: I can use the Kali/Linux machine as an tftp/scp server to backup devices;

So suppose you want to copy startup-config files from your Cisco to your laptop running a virtual machine of Kali Linux, (Debian). Let us suppose further that your Cisco router/switch cannot do SSH otherwise, we'll just use scp which is safer, and does not need any further special configuration for Linux devices.

Here's how to do it:

Make sure you have the Virtual Machine in Bridged Adapter to your WIndows 7 machine's ethernet adapter. I'm using virtual box so in my case, I have to create a bridged adapter first. In Virtuabox (not in the Guest OS or Virtual Machine's Window) click File >> preferences >> Network. Then under tha tabe Bridged Adapters, create at least one adapter.

Machine

Settings

etwork

** Bridging will not work when you hav eport-security configured in the switchport where the computer is plugged. This is the case in most enterprise networks. If you are doing this inside your office and you are not getting a DHCP IP address, you better ask your network engineer/corporate IT if port-security is enabled.

Install (if not yet installed) tftpd: apt-get install tftpd. If you are not using Kali Linux, you are most likely not root, so add "sudo" before the apt-get command.
Once installed, configure inetd. Open /etc/inetd.conf with your favorite text editor (i.e. vi /etc/inetd.conf, or leafpad /etc/inetd.conf)
Inside inetd.conf, there is a line there pertaining to tftp, uncomment (remove the # sign before it). Mine looks like the picture below. Note the encircled portion of the picture, that is the path to where tftp will put/get the files to/from.

In this example., /srv/tftp is the default folder. You can change this.

TFTP is an authentication-less file transfer using UDP packets. Thus, permissions must be configured properly for this folder. Using the above picture as an example, do chmod -R 777 /srv/tftp. Again, if you are not the root user, you may have to add the command "sudo" in front.

Restart inetd: <sudo> killall -1 inetd, then to start it again, just type, inetd.

Check that the tftpd service is installed. do lsof -i and you should see something like this (notice the tftp services listening on particular ports):

Results of lsof -i

You are now ready to use tftp. login to your cisco device telnet <IP address>. Then from your Cisco device, type copy startup-config tftp: specify the correct answer to all the following questions, then you will be faced with this error!

Cisco4#copy startup-config tftp:

Address or name of remote host []? 10.48.2.61

Destination filename [Cisco4-confg]?

TFTP: error code 2 received - 16739

%Error opening tftp://10.48.2.61/maphl2sw04-confg (Permission denied)

That's because Linux TFTP servers will not allow anyone to write a file to its default location unless the filename exists and has proper permissions. Thus, to resolve this, you need to create the file, and give it permission 666, as per hte below picture.

touch is the command to create the file

After that tftp is successful.

Cisco4#copy startup-config tftp:

Address or name of remote host []? 10.48.2.61

Destination filename [Cisco4-config]?

!!20645 bytes copied in 0.109 secs (189404 bytes/sec)

Cisco4#

**Note: tftp is an unsecure way to download upload files. Always use scp or sftp is you are given a choice.

How to Install Windows 7 on a UEFI enabled Computer

2014-06-08T02:04:00.001+08:00

We recently bought a Lenovo T-440s amd immediately loved it, except it came with a Windows 8 Professional, 64-bit. It had "downgrade rights" for Windows 7 Pro 64-bit. Unfortuantely, our corporate IT environment does not (yet) encourage Windows 8 especially in laptops nor desktops, so I really was obligated to downgrade it to Windows 7 Pro/Enterprise.

The T-440s is Windows 8 optimized and is UEFI and secure-boot enabled. As an IT professional, I am also interested in how UEFI works (later I'll write a blog after I successfully installed Kali Linux on dual-boot in a UEFI system) and if it indeed delivers to is promise. UEFI is explained in detail here. Microsoft also explains UEFI and how it is here.

Do note that UEFI systems behave differently depending on the model and brand of the computer. This how-to post is specifc to the T-440s. While the concept and the general procedures may be the same as with other laptops (i.e. Acer, Asus, HP, Dell, etc.) the behavior may differ slightly.

The Objective: Install Windows 7 Professional 64-bit on a UEFI enabled Lenovo T-440s.

Before we begin, let us first discuss what are the differences between installing Windows OS in UEFI and in non-UEFI mode (aka Legacy Boot Mode)

UEFI installation of Windows 7 only works in 64-bit installations.
UEFI does not work in Win XP.
By default T-440s ships with Windows 8 and with UEFI and Secure Boot enabled. However Windows 7 normally is not for UEFI systems. If your Lenovo Thinkpad T-440s ships with Windows 7, the settings may have been changed.
The Lenovo Thinkpad T-440 does not have a CD/DVD Drive, you have to either attach a removable drive, or create a EFI-bootable Windows 7 USB Stick.

Here's how:

Go to the BIOS Setup by rebooting your Lenovo Thinkpad T-440s then, repeatedly press F1 until you get to the BIOS Set-up Screen.
Go to the <Security> Tab then disable Secure Boot

Step 2: Disable Secure Boot

Go to <Startup> Tab then set UEFI/Legacy to UEFI Only. Change the CSM Support Setting to Yes.

Step 3. Set Startup to UEFI Only but say yes to CSM Support

Note: If you did not set CSM Support to yes, Windows 7 installer will hang at the windows 7 screen.

Save and Exit. Reboot the Thinkpad T-440s and this time, repeatedly press F12 to get you to the Boot sequence screen. Choose CD?DVD Media or USB if you are using a bootable USB stick installer.

Proceed to the installation until you get to the partition part. Do not partition. Instead, press Shift-Fn-F10.

A command prompt will appear, type diskpart.

Type list disk to show the list of available disks. Take note of the disk you will partition.

Give the following commands inside diskpart:

select disk (disk numnber)

clean

convert gpt

exit

Continue with the Windows 7 Installation. Ignore the "cannot continue installation" error message.

After you have finished installing, you can verify if indeed you are booting your Windows 7 in UEFI mode. On your first boot without the windows 7 installation media, go to C:\windows\Panther\setuppact.log. You would want to see if CallBack_BootEnvironmentDetect. It should say: Detected Boot Environment: EFI.

And that's how easy it is done. Thanks for reading.

Configuring Cisco WLAN with multiple SSIDs in different VLANs - Part 1

2014-03-04T18:30:00.000+08:00

note: Screenshots and configuration examples are using a Cisco 2500 series WLAN controller (aka WLC). The Cisco 2500 series controller is connected to a cisco 3750 or 3650 L3 switch. This article assumes that inter-VLAN routing is already working and only the WLAN controller needs to be configured.

Usually, enterprise networks are on multiple VLAN environment. The Wifi access points provide access to each of these different VLANs by broadcasting different SSIDs attached to different WLAN profiles. Let's say we want to configure our WLAN controller to broadcast two SSIDs namely:

1. GUEST on VLAN 5 (10.8.5.0/24);
2. IT-Department on VLAN 13 (10.8.6.0/24);

Also, let's assume VLAN 219 is pre-configured with the following information:

1. VLAN 219 is NETWORK-VLAN @10.8.219.0/24)
2. interface vlan 219 IP address is 10.8.219.1
3. a DHCP server located in VLAN 219 with IP address 10.8.219.50/24.
4. WLAN controller will be configured with IP address 10.8.219.251 in VLAN 219
5. the Access Points (APs) 10.8.219.248-250, also in VLAN 219.

There are two parts to this task. First is the VLAN configuration required in our 3750/3650 layer 3 switch which will be discussed in this article. Part 2 is configuring our WLAN controller with the WLAN profiles, SSID, and interfaces. For brevity, I will skip discussion on inter-VLAN configuration and assume that that the network converges, and inter-VLAN routing is configured properly.

Part 1: Configure the 3750/3650 layer 3

1. Configure the port interface in our L3 switch as a trunk:

interface GigabitEthernet1/0/23
   description *** LINK TO WIRELESS-CONTROLER ***
   switchport trunk encapsulation dot1q
   switchport trunk allowed vlan 5, 13
   switchport mode trunk
   !The next commands are optional
   switchport trunk native vlan 219
   udld port aggressive

"switchport trunk allowed VLAN <ID>" command explicitly defines what VLANs are only allowed in the interface. In this case, only VLANs 5 (Guest) and 13 (IT-Department) are allowed. This can be optional but I would recommend you do this to minimize broadcasts traversing through the trunk.
"switchport trunk native vlan <ID>" command changes the native VLAN. By default, the Native VLAN is 1. But this is already expected so we change it. The native VLAN is where all vlan traffic converges and traverses. This command is optional.
"udld port aggressive" is an optional configuration. It detects if the link is uni-directional and adjusts accordingly to avoid spanning-tree loops. All ports should support UDLD aggressive mode in order to work.

2. Configure the the VLANs.

In this example (for simplicity), we will only create 2 VLANs with /24 subnet. First we create the VLANs. I usually create VLANs with names so I can easily identify them.

Cisco 3750(config)#vlan 5
Cisco 3750(config-vlan)#name GUEST
Cisco 3750(config-vlan)#vlan 13
Cisco 3750(config-vlan)#name IT
Cisco 3750(config-vlan)#exit
Cisco 3750(config)#

Then verify if the the VLANs where created:

Cisco 3750(config)#end
Cisco 3750#show vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
5    GUEST                            active
13   IT                                  active
219 NETWORK-VLAN                     active    Gi1/0/24

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

     == output truncated for brevity ==

Then, we create the VLAN interfaces and assign the IP addresses. The "ip helper-address" command is necessary if the DHCP server is not in the same VLAN as the interface we are configuring.

interface Vlan5
   description GUEST
   ip address 10.8.5.254 255.255.255.0
   ip access-group DENY_VLAN_5 out
   ip helper-address 10.8.6.10

interface Vlan13
   description IT-DEPARTMENT
   ip address 10.8.6.1 255.255.255.0
   no ip unreachables
   ip helper-address 10.8.219.50

3. Configure the Access-list to allow GUEST VLAN to communicate directly to internet, and not through the internal LAN

ip access-list extended DENY_VLAN_5
   permit ip 10.8.50.0 0.0.0.255 host 10.8.219.50 eq 67, 68

   deny   ip 10.8.5.0 0.0.0.255 10.0.0.0 0.255.255.255
   permit ip any any

In this access-list, notice that the only allowed traffic to the 10.8.0.0/16 network is to 10.8.219.50 on ports 67 and 68 (DHCP required ports). The configuration does not allow traffic through DNS! That is because the DHCP should be configured to assign a public DNS (i.e. 8.8.8.8). This is to minimize the traffic to the internal 10.8.0.0/16 network.

Next, we assign the ACL to interface VLAN 5 (GUEST):

interface Vlan5
    description GUEST
    ip address 10.8.5.254 255.255.255.0
    ip access-group DENY_VLAN_5 out
    ip helper-address 10.8.6.10

4. <Alternative Configuration> - Configure a DHCP for the GUEST VLAN, then configure an Access-List that will ensure GUEST VLAN only communicates to the internet

Usually, if a Guest VLAN is concerned, I do not use a DHCP server. This is because, as mentioned in item number 3 above, I do not want ANY communication to my internal network 10.8.0.0/16 from the Guest VLAN. So I assign the DHCP configuration

ip dhcp pool GUEST
    network 10.8.5.0 255.255.255.0
    default-router 10.8.5.1
    dns-server 8.8.8.8 4.2.2.2

If I configure the switch based DHCP for GUEST, then my GUEST VLAN Access-list is simplified to:

ip access-list standard Deny_VLAN_5
   deny   ip 10.0.0.0 0.255.255.255
   permit ip any any

interface Vlan5
    description GUEST
    ip address 10.8.5.254 255.255.255.0
    ip access-group DENY_VLAN_5 out
    ip helper-address 10.8.6.10

Isn't this much simpler? Now, all required configuration in the L3 switch is complete. We will now configure our WLAN Controller.

Part 2: Configure the WLAN Controller

<Please click the link to proceed to Part 2>

Configuring Cisco WLAN with multiple SSIDs in different VLANs - Part 2

2014-03-04T18:28:00.002+08:00

This is part 2/2 of the series. Part 1 discussed the assumptions and the required layer 3 switch configurations. Please read part 1 prior to reading part 2 You can view part 1 here.
======================================================================
note: Screenshots and configuration examples are using a Cisco 2500 series WLAN controller (aka WLC). The Cisco 2500 series controller is connected to a cisco 3750 or 3650 L3 switch. This article assumes that inter-VLAN routing is already working and only the WLAN controller needs to be configured.

======================================================================
IMPORTANT REMINDER: before you do all the configuration, note that the LWAPP image version cannot be higher than that of the WLAN controller. a quick "show version" command on both the WLC and the LWAPP will save you all the time and effort.

From LWAPP: the default username is "Cisco" and password is "Cisco":

output of show version:

cisco AIR-CAP702I-F-K9 (MIPS74k) processor (revision 01) with 73728K/57344K bytes of memory.
Processor board ID KWC184402C5
MIPS74k CPU at 40Mhz, revision number 0x0000
Last reset from power-on
LWAPP image version 7.5.1.33
1 Gigabit Ethernet interface

AIR-CAP means this is a Lightweight Access Point (aka a Controller-based Access Point). If it says AIR-WAP, then this is not a controller-based access point and will therefore not associate to the Controller.

From the Controller:

(Cisco Controller) >show sysinfo

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 7.4.121.0

Bootloader Version............................... 1.0.20

Field Recovery Image Version..................... 1.0.0

Firmware Version................................. PIC 16.0

In this case, configuring the WLAN controller and the LWAPP will not work. the LWAPP will not associate. We will need to either downgrade the image of the LWAPP, or upgrade the image of the WLAN Controller.

=======================================================================

Part 2: Configure the WLAN Controller

In the first part, we discussed the Layer 3 switch configuration requirements. In case you missed it, please read the first part of this article here: Configuring Cisco WLAN with multiple SSIDs in different VLANs - Part 1

As usual, the first thing to do is plug the WLAN Controller's port 1 to the trunk-configured port in the L3 switch (discussed in part 1). Port 1 is the green colored portin the figure below.

The other 3 ports will be connected to your APs (Access Points). For brevity, we will not discuss configuring licenses and upgrading firmware in this article.

1. Configure the Controller's via the Start-up Wizard.

The first thing we need to configure is the WLAN controller's IP address, hostname, domain, etc. The others can be configured once we set-up the controller via its web interface. The simplest way to do this is to use the startup wizard. You will need to attach the controller's console port to a computer and open terminal services in your computer using the following:

9600 baud
8 data bits
No flow control
1 stop bit
No parity

Power-on the device. The controller will show a boot-up sequence followed by a start-up wizard asking you a series of questions. If you did not see a start-up wizard then the controller was already pre-configured. to reset the controller, you can use a pencil and hold down the reset button at the back of the controller for 3 seconds until the controller reboots and the start-up wizard shows up again.

The startup wizard is straightforward and self-explanatory. You will need to enter the following information:

System Name - the same as the hostname of the controller;
Administrative User Name - the admin user name to login to device;
Administrative Password - admin password to login to device;
Management Interface IP - the IP address of this Controller. As discussed in part 1, the WLAN controller IP is 10.8.219.251 (you can change this according to your network topology). The subnet mask is /24 or 255.255.255.0;
Management Interface Default Router - is the Gateway IP address. Put the IP address of the gateway which, as per part 1, is interface VLAN 219 which is 10.8.219.1;
Management Interface VLAN Identifier - "0" or untagged. This is because we will be plugging the management interface (assigned to port 1) on a trunk switchport.
Management Interface Port Number - this is the port number where you intend to plug your. We intend to make port 1 as the management interface port. Thus put "1".
Management Interface DHCP Server - the IP address of your DHCP Server;
Virtual Gateway IP address -Just use whatever default value is in there (1.1.1.1);
Network Name (SSID): This is the defaul SSID the APs will associate to when they go online. You can assign GUEST as the default SSID. Alternatively, this can be configured later;
Configure DHCP Bridging Mode - No;
Allow Static IP Address from Clients - Yes/No;
Configure a Radius Server? - No. For simplicity, we will not use a Radius server for dot1x authentication. You can change this later.

For the rest of the questions, just use the default value or yes. For NTP servers, you can assign an NTP server's IP address or Fully Qualified Domain Name. If you have none, you can skip this. All the configuration settings asked can be configured or re-configured/changed later.

Once the Start-up Wizard is complete, and the WLAN controller is already plugged to the L3 switch, we can access the controller via http or https (for security reasons, we will disallow http access to it later).

2. Configure the Access Points.

Plug all your Access Points (APs) either to the WLAN Controller, or the L3 switch. The WLAN Controller will immediately know if the APs are powered up and add them to its database.

In case they are not "found" within the first 3 minutes, you will need to configure the APs via console. The Com1 port parameters are the same as part 1 of this article. Once you are logged into console, issue the following commands:

a. Assign an IP address in the ap via this command:

capwap ap ip address <ip address> <subnet mask>

b. Define the WLC controller where the ap should attach

capwap ap controller ip address <ip address of controller>

c. Define the WLC gateway (in our example, the IP address of interface VLAN 219).

capwap ap ip default-gateway <ip address of gateway>

After these series of commands are entered, we will configure the rest via the Web GUI. Just follow the instructions below:

Configuring APs using WEB GUI:

Login to the WLAN Controller via http://10.8.219.251 or https://10.8.219.251 (the Management Interface IP Address). Inside, go to the "Wireless" tab and configure each of the AP radios in its inventory:

Click on AP1PH, AP2PH, AP3PH and configure them appropriately:

In the General Tab - specify the Static IP, Netmask, AP Name, Location, AP Mode, etc. as shown in the figure below. As per part 1 of this Article, the AP IP addresses will be from 10.8.219.248 to 250.

In the Credentials Tab - leave everything unchecked (default).

In the High-Availability Tab - specify the primary controller as "this controller"

Lastly in the Advanced Tab - configure it as shown in the picture below except, put your own country code; and check telnet and/or ssh if you wish to be able to connect directly tot he AP via telnet or SSH. In the diagram below, the AP has a power injector and thus is using the power injector's MAC Address. In most cases, this is automatically populated.

Once each of the APs are configured, click "Apply" in the upper right hand corner of the screen. We will proceed in configuring "interfaces".

3. Configure Interfaces.

An interface is configured to "attach" specific WLAN Profiles to it. The interfaces defined identifies the VLAN association of a wireless profile. We will need to configure interfaces for VLAN 13 (IT) and VLAN 5 (GUEST).

Go to the "Controller" Tab. In there, navigate to "Interfaces". There will already be at least two interfaces configured: "management", and "virtual" interfaces. In the picture below, I have many other interfaces configured (one for each VLAN I have) in our controller. For simplicity I erased them and showed only two configured - guest, and IT interfaces.

Each interface will have an IP address this is similar to assigning VLAN interface IP addressesin that they must be unique (not used), and is within the VLAN's subnet. Remember, the interface IP address is not the VLAN's default router / gateway, nor is it the IP address of any of the APs.

To create a new interface click "New" in the upper right corner (not shown in the photo above, but it's there). In the interface name, type "guest", and VLAN ID is "5" (since our Guest VLAN is 5), then click "Apply" in the upper right hand corner of the screen. You should be directed to a page like the one shown below. Put the IP address, Subnet mask, and DHCP server (we specified this in part 1):

Once completed, click "Apply". Then, repeat the configuration but this time for VLAN 13, IT. By the end of this exercise, we should have at least 4 interfaces: management, virtual, guest, and IT.

Now, we can configure our WLAN profiles:

4. Configure WLAN Profiles:

Go to "WLAN" Tab. Inside, click "Go" with "create new" shown in the dropdown list:

We will create two WLAN Profiles: GUEST, and IT. Both their SSIDs will be broadcasted (seen by wireless clients such as laptops, and mobile phones). First, let's create the GUEST WLAN Profile. As expected, the interface configured for GUEST is "guest" configured in step 3.

Profile Name - Can be anything. Let's be consistent and name it GUEST;
SSID - can be anything. It is the broadcasted name of the WLAN. In the example, we named it _GUEST;
Status - if enabled checkbox is checked, then the WLAN is useable. If unchecked, it is configured, but unuseable;
Security Policies - this will be configured in the security tab.
Radio Policy - determines if the AP will use 802.11a, ab, b/g/n, b/g. Let's stick to "all".
Multicast VLAN Feature - by default this is not checked (disabled). Multicast is required for wifi users using bon jour services (Apple TV, iTunes on the air), as well as other peer-to-peer services. Configuring Multicast VLAN features will be discussed in a separate topic.
Broadcast SSID - when enabled, broadcasts the SSID. Thus, wireless clients can see the SSID of this WLAN Profile. If disabled (unchecked), the SSID will not be broadcasted. Association can still be done by manually configuring the Wireless Profile in the client device. Note that SSIDs are case-sensitive.

The next step is to go to the "Security" Tab. We will configure GUEST with WPA/WPA2 authentication using a pre-shared key which you will specify. Keep the Pre-shared key secret and change it every once in a while.

The other authentication method is dot1x but we will discuss that in another post. For the meantime, we will stick with WPA/WPA2.

When finished, click "Apply". Repeat the steps this time, create aWLAN Profile named IT-Department with SSID as IT-Dept. Use interface "IT" configured in step 2 for the IT-Department Wireless Profile.This will tell the WLAN Controller that the WLAN profile IT-Department should be in VLAN 13.

5. Secure the WLAN Controller access

The last step is to change the configuration parameters of the WLAN controller. Go to Management Tab. There are a lot of options here but the basic yet important ones are as follows:

Under HTTP-HTTPS (left navigation pane) - disable HTTP Access and enable HTTPS Access. Set a Web Session Timeout (idle time when the user will be forced logout by the system
Under Mgmt Via Wireless - disable management via wireless. Access to the WLAN Controller therefore can only be done via LAN.

Congratulations! You just configured your wifi for two SSIDs on different VLANs.

Compelling Scoreboards Do Keep Projects on Track

2013-08-18T19:58:00.001+08:00

Technology management involves liberal amounts of project management. Like construction engineers and architects, we Technology Managers often find ourselves being asked to design technology solutions, and implementing these. But for most of us, driving projects to be completed on time, and within cost has proven challenging - especially in this era where most technology projects are implemented by vendors and outsourced partners.

Throughout the years, I found out that keeping a compelling scoreboard of the project not only helps me, as the Project Manager, keep track of its progress, but also elicits commitment from the implementing team, vendors included. It also helps in communicating the project's progress to other stakeholders (i.e. executives, other departments) easier. Keeping a compelling scoreboard is extolled as discipline three in FranklinCovey Institute's Four Discpline of Execution (4DX). While 4DX's approach is utilitarian and practicable, scoreboards (or dashboards) is not unique to 4DX. It is also espoused in various management cases and thesis (i.e. Project Management Institute, Balanced Scorecard, etc.). Although, it is in 4DX where the case of "scoreboards should be compelling", is consistently made.

Take the snapshot of the simple project management scoreboard below as an example. The template for this can also be downloaded (link provided below) to help you start your own scoreboard for your projects.

All effective scoreboards should follow the following characteristics:

It is easy to understand and identify where you are (your progress) at a given time.Within 5 seconds, the scoreboard should be able to tell you if the project is delayed or not, if we are at risk of cost overrun, and what are the other risks to watch-out for.
Only the necessary information is displayed. Very informative but not cluttered Put in the scoreboard only those scores agreed with all stakeholders as necessary to track. Show only the essentials. Notice that in the below screenshots, we do not track Cost Performance Index (CPI). This is as agreed with all stakeholders and primarily because the project is being implemented by an outsourced contractor paid on progressive billing based on milestone completions.
The Scores can be updated weekly - this is particularly important because what good is a scoreboard it doesn't give you the "score" on a regular and nearest-real-time possible. My personal belief in this matter is that scoreboards should give you at least a weekly status of the project. if you have automated tools, then daily updates are desirable.
The scores are directly influencable by the performance of the project team. The below picture may not show this obviously. But after a day of explanation and two meetings after, the stakeholders know immediately what they should do to get the score back to its "proper" level. The scoreboard can only be compelling if the participants feel that they influence those scores directly. That is, the score is tied to what they do, and plan to do in the ensuing days.
Which brings us to the most important point, the scoreboard should inspire /compel you to act. You will have to do some trial and error regarding this. Remember that a dashboard/scoreboard may be excellent for one team but not for another. Item number 4 above is the main driving force in making a scoreboard inspiring and compelling - the fact that one's action directly influences the score puts that person committed and immersed into the game. Although, in terms of making a scoreboard compelling, a little creativity also contributes significantly. It helps when you keep looking at the scoreboard not only because you want to see the score, but also because it is visually appealing and telling.

Some may observe that this is not the most compelling scoreboard/dashboard they've seen and I will agree. There are far more compelling dashboards out there. My main objective was only to give a preview and perhaps to drive a point. Our company has dashboards with race cars on it indicating the "sales",and a clear finish-line banner representing the year-end target. There are "pit stops" for the quarterly sales performance. I've also seen dashboards with motor gauges, and one that has flags with names of the teams represented by icons climbing a hill. Someone even placed a "barbie" as his icon.

I am not an expert to discuss the social psychology behind this, but in my experience, and in the experience of other people I helped create their own scoreboards - it works. Having compelling scoreboards help people become more attentive to the project's schedules and outcomes.

I would liken the experience to the competitive attitude observed among athletes. In sports, it is easy to determine what the score is. There is a huge scoreboard displayed prominently. Everybody knows the score and what it means to them individually. The coaching staff immediately knows if its time to call for a time-out, to substitute players, and leads him how to assess the gameplay at halftime. The players immediately know how they stand, the amount of effort they need, and if they should go defense or offense. Looking at the shot clock counter, they know if they need to shoot the ball; or, looking at the yard-line, the quarterback calls the best appropriate play. The audience too, knows when they should cheer louder, cheer defense, or offense, and whose name to cheer when needed. Keeping score also elicits the amount of dedication among the fans. All we need to holler at the end of the bar table is the score, and every fan knows what that means. Keeping tab of the score consistently even makes some of us instant game experts and analysts.

When I introduced the above scoreboard to vendors, attitudes changed. Knowing how the scoreboards would look like by our weekly reporting day (which is always a Thursday) compels them to act. Everyone is looking at the same data, and this reduces the length of meetings since we do not need to explain each others point-of-view regarding the status and progress of the project. Also,in a way, the meetings became more objective.

Every week, we spend 30-45 minutes discussing the completion of all tasks, and, "projecting" what items can be finished in the next week to get the scores (Schedule Performance Index, SPI) and EV at their proper levels.

Start practicing your creativity and create your own scoreboards for your Projects today. To help you star, you can download the above sample Project Monitoring Scoreboard here. This Excel workbook may not be the best tool you are looking for to "automate" your project plans. But if you are looking for a way to shorten your meetings and how a scoreboard can be done in Excel, then feel free to download the Excel file, study, and revise it as you wish. I hope this helps.

Build or Buy Analysis: Determining the True Cost of Software Development vs. Ready Made Solutions

2012-05-28T13:12:00.000+08:00

When faced with options to whether to build an IT system; or, to lease or subscribe to ready-made cloud-based solutions; most of us do what we were taught in management school. We open our poignant excel workbook, and compute the cost of the application by estimating materials and person-hours required to complete the project.

We do this by first forecasting the number of person-hours it would take to build the system. Then we put a certain monetary value to these person-hours, which is usually the average salary of the software engineers that will be hired to build the system plus a little overhead. We then put all the other necessary materials to finish the system such as cost of servers, peripherals, etc.

We then estimate the yearly cost of maintaining the system, which we usually approximate at 20% of the initial build cost. After which we pick a discounting rate ranging from 8% to 12% (10% is usually the sweet spot), and do a Net Present Value (NPV) calculation of the Total Cost of Ownership (TCO) of the system from year 0 (today) to year 4. We top it off by adding another 10%-20% contingency reserve margin to cover for ‘other unseen costs’.

After doing all that, we go window-shopping. We go through a list of cloud-based solutions and ask them for their subscription costs. We compare the yearly subscription cost for cloud-based solution A, B, C…. and the cost of building the system. Finally, we are ready to make a decision: do we develop our own custom application, or do we lease or subscribe to Software as a Service (SAAS) solutions?

If this is how you do decision analyses, I encourage you to look at the past 5-10 build-or-buy decisions you made. You will find yourself that often you decided to build the application either in-house; or, using outsourced development partners. Rarely (perhaps 10% or even less probability), have you decide in favor of cloud-based solutions.

I think this is because many of us forget to include in our decision analyses the “full cost”, including the cost of risks, in custom application/system development. Failing to account for project risks, and mitigating them, leads to costly IT Project failures.

Even worse, the true cost of custom application development only appears later, when project s are mid-way done, risks are starting to materialize, and your project stakeholders’ patience are taxed.

Here is a list of the usual items we fail to consider as part of the costs, and risks when developing applications and systems of our own. Make sure we account for all of them before making a decision. If we are relying heavily on financial analyses tools to such as NPV, payback, IRR, and TCO to make a decision, then it is imperative that we put dollar values into these risks such as approximating person-hours, including executive hours; hiring additional consultants and project implementers; and, cost of sub-projects required to complete the IT system such as infrastructure upgrades.

1.       Scope-creep and/or incomplete Requirements Specifications

Undoubtedly, scope-creep is the number one risk associated with IT build-out projects. Often, we are lulled into a false sense of belief that the required application or system is simple and thus will only take X person-hours, when in fact, it actually takes (X+Y)^Z person-hours.

Scope-creeping is when the project’s requirements kept changing even during project implementation. There are two main reasons for this: (a) the project is so delayed that the initial requirements are no longer relevant; and/or, (b) the project manager failed to fully understand the business requirements.

We should be obsessively detailed in gathering the project requirements. Immerse with the department sponsoring the project and discuss with as many stakeholders as possible. Define conflicting requirements from different stakeholders and resolve them properly. Make sure the business problem that the project wishes to address is fully understood. Define the current state versus the ‘future-state’ of the process once the IT project is in place.

2.       Failure to Consider Cost of Required Infrastructure Upgrade

Now that we are confident about the requirements, consider the load of the new system in the IT infrastructure. What are the system availability requirements for the new system? Will a Disaster Recovery Plan (DRP) be required? Do we need to increase WAN segment bandwidth due to heavy influx of users? The new system will require, power, rack space and IP addresses (private or public). At the least, an on-site web-server will need changes in the firewalls and edge routers. If we are unlucky, we may need more changes in the network routes, and Quality of Service (QoS) configurations.

We should identify and include the cost of these upgrades, including the person-hours and executive time required to implement the infrastructure changes. Remember that changes to the network often requires a lot of executive time. Change requests need to be discussed and approved, and a lot of documentations need to be accomplished before we can even add one configuration line in any of the network equipments. We should note this in our decision analyses.

3.       Underestimating the Strategic Relevance of the IT Project Resulting in Redoing the System/Application Over and Over again

The head of the Supply Chain Department came to the IT Head’s office and said: “we don’t really want a complicated system, just something we can use fast.” The IT department checked the requirements, and considered the minor infrastructure changes required; and they delivered the IT system fast, but a little messy – as requested. They authorized the cutting of corners and ransacked the best practice rule-book. No one’s the smarter. The department requiring the system loved it, despite its many bugs and the IT Head became their hero.

A couple of weeks after the system went live, the COO drops by the same IT Head’s office and told him the system worked so good, that the COO now wants it integrated into the entire Materials Planning and Manufacturing Divisions. The IT department now has two problems: (1) to be able to integrate the two systems, they have to recode at least 40% of the new system, then add additional modules required for the integration; and, (2) since this will be used by the entire operations team, they now need to fix those bugs which were previously ‘acceptable’ by the Supply Chain Department’s standards.

Six months later into the project, the CFO drops by the same office, and before the IT Head realizes it, they are now building an entire ERP system. The build-rebuild-integrate-rebuild cycle is costing their company huge amounts of time, and resources. Their IT department is also now exposed to the vicious cycle of firefighting – The IT operations teams kept resolving bugs, while the software engineering team keeps developing new modules.

We cannot emphasize more than enough the role of executive involvement (all of them, not just IT) in IT projects. The IT roadmap must be clear, and our role as IT executives is to communicate this roadmap. When one department asks for a quick solution, look back at the roadmap and communicate back when the solution will be made available. Building an enterprise system is like building a skyscraper. We can’t start building the penthouse without first building the lower floors. We should never fall prey to the ‘quick-and-dirty’ mantra – they don’t exist! An IT project can be finished quickly if it must, but never should it be dirty. We do not compromise quality.

When ‘forced’ to expedite the building of a system due to business necessities, we must take the larger picture into consideration. Of course we build it, but never lose site of the roadmap. Think of it as delivering the same roadmap but in phases. The system requested should scale to the larger requirement when the time to build the latter arrives. And the cost of the entire ‘build-scenario’ should reflect that.

Do VLANs Unduly Complicate the Network?

2012-05-06T17:43:00.001+08:00

Simplifying the IT infrastructure is among the top priorities of IT executives. Various surveys claiming CIOs are beginning to embrace Software as a Service (SAAS) models is actually proof that simplification of the infrastructure is a key objective. The more complicated the IT infrastructure becomes, the more expensive it is to maintain it. It also will take significantly longer person-hours to fulfill change requests.

As an IT manager, simplifiying my IT support structure is also one of my key goals. One of the most common discussion points regarding this subject is the number of VLANs required for a branch office; or, if VLANs are ever needed in the branch office network design.

My answer is always 'yes'. Surprisingly, I often find myself defending that position.

Simplicity is a function of necessity. To simplify means to design the IT infrastructure to fulfill only the required service level and, to make it easy to scale the infrastructure to increasing demands of the near future. To implement more than the required service level and business need is unduly complicating the IT infrastructure. It is a step farther from simplification.

While there are no fast rules as to how many VLAN count is the optimal level to qualify a network as ‘simple’, I believe quite the opposite. VLANs actually help in simplifying the IT infrastructure and ensures scalability for future expansions.

The three main reasons that necessitate the creation of VLANs are listed below. You will notice that even in the branch office, we will find ourselves utilizing VLANs for any one of these three:

1. to avoid mac-address-table and arp broadcast storms;
2. to simplify network security;
3. to simplify Quality of Service (QoS) implementations;

In a practical sense, a Local Area Network (LAN) is a group of computers whose IP addresses are within the same IP block. For example, if your computer has an IP address of 192.168.1.10, with subnet mask of 255.255.255.0, then all computers from 192.168.1.1-192.168.1.254 belongs to your LAN. That is, they belong to only one switching group, and communicate to each other by referencing each computer's unique network interface card (NIC) machine address, with the switchport where the NIC is directly connected to. This mapping of NIC mac-addresses to the switch's switchports are kept by the switch in a simple database called a mac-address-table. Since they do not communicate via their IP addresses, then they should find a way to reference an IP address with a corresponding NIC mac-address which is the only information relevant to the switch. To do this, the switch, and all computers in the LAN maintain another common database called the arp (address resolution protocol) table.

This brings me to the first reason why VLANs are configured:

1. to avoid mac-address-table and arp broadcast storms

This is the main reason why routers and VLANs were invented, and why it is not possible to build the internet using only switches.

As discussed, computers in a local area network communicate to each other only via their mac-addresses using a map being maintained by the switch called a mac-address-table. To do this, there should be way for a computer to reference an IP address with a mac-address. They do this via an ARP (Address Resolution Protocol) request. Let us assume a computer 'A' wants to ping another computer 'B' with an IP address of 172.30.1.105/24. Seeing they are on the same subnet (Computer 'A' has IP address of 172.30.1.102/24), Computer 'A' immediately knows it should communicate with the switch, not through the router. To communicate with the switch, Computer 'A' needs the mac-address of the Computer 'B'.

Here's what happens:

Computer 'A' composes a message: "Hey switch, what is the Mac-Address' of someone with IP address of 172.30.1.105/24? Can you check in your arp table?"

Switch responds with: "I don't know but please wait, I'll send everyone an arp request broadcast". He then broadcasts an ARP request. After all computers in the LAN finished responding to this broadcast, he immediately does two things:

(1) he sends an ARP response to Computer 'A': "I found it! Computer A, the mac-address of Computer B with IP address 172.30.1.105/24 is 00-1e-e5-69-1f-55; then,

(2) The switch completes his mac-address-table. After completing his mac-address-table, he again proceeds to do another broadcast, this time to inform all nearby switches that he has a more updated mac-address-table.

Computer 'A', completes his request and sends over packets containing the mac-address of Computer 'B' to the switch. The switch forwards the packet to the switchport using the mac-address-table he completed in the previous step.

The picture below summarizes how it works

Once the DHCP expires and everyone is sent a new IP address, the arp table on each computer also resets, and the entire request-broadcast-response-broadcast cycle is repeated.

To resolve the broadcast issue, we can either: (a) configure both the switch’s arp and mac-address-table expiration (Cisco refers to them as timeouts) to control the frequency of the MAC-Address-table and arp broadcasts; or, (b) separate the network into different segments via VLANs. For very large networks, we will need to do both.

If it still is not obvious how VLANs play a detrimental role in controlling the broadcasts, then imagine we have 200 nodes on DHCP and with multiple access-points over LAN and wifi. Whenever one user plugs his/her laptop from one area of the office to another, the computer and/or the switch (whichever is applicable) will do an arp request broadcast, and a MAC-Address-Table broadcast. So imagine what it will do to our network if 50 of those users move for whatever reason. We have 200 X 50 broadcasts = 1,000 arp broadcasts, and another set for as many switches for the mac-address-table broadcast. Then, of course we have another set of broadcasts when they move back to their permanently assigned workstations. Quite small, but note that we also have other broadcasts going on in the network such as IGMP, servers, clusters, etc. The broadcast problem increases exponentially as more elements are added to the network.

VLANs communicate via the router. They are on different LANs. So if we split the network in two VLANs, then the broadcast storms are contained in only one VLAN, while the other is unaffected. Therefore, as the network grows, it becomes necessary to segment the network into VLANs and keep this broadcast storm in check. I suggest one VLAN per group of 200, at least (depending on usage, and degree of security required).

2. to simplify network security

Suppose that in our company, the Marketing Department is allowed social networking sites (twitter, facebook, google+, etc.), but the rest of the organization is not. How do we do it? We can either: (1) Configure a by AD user account/group account URL filtering (assuming our UTM appliance is equipped with that); or, (2) we can do it via VLANs (which every UTM and transparent proxy appliance can implement). Judging just by how many components are needed to configure both, then the latter (configure VLANs) is conclusively the simpler.

There are also other issues. Trunk traffic is passed from one switch to another via VLAN 1. Thus when VLAN 1 is compromised, everybody is compromised. What I do is I move the native VLAN to another VLAN, and simply make VLAN 1 a 'parking vlan' (in other words, a VLAN assigned to unused switchports).

And here is my favorite VLAN security implementation – I simply deny all inter-VLAN access (except to the servers). That way, no one from the other VLAN can sniff through the other. This is important when some techie staff tries to sneak into executives’ skype conversations, or files (yes, you can sniff through skype chat history of another person on the network provided you have access to their computer, check out how in my other blog here). This also servers as defense when one VLAN was compromised (malware, DoS attacks, etc.).

3. to simplify Quality of Service (QoS) implementations

In our company, we have normal traffic, and VoIP. The traditional way of doing QoS is by configuring DSCP diffserv tagging on every switchport (every switchport, not just where the VoIP ports are); then do prioritization and bandwidth shaping at the ingress direction of the router interface. But if the only traffic we need to tag for priority are VoIP traffic, then its simpler done via VLANs. We simply: (1) put all VoiP and similar traffic in one VLAN; (2) disallow inter-VLAN communication; then, (3) prioritize traffic on a per VLAN basis.

Therefore, even in small branch offices with less than 100 network elements, if we have any one of the reasons stated above, we will need to apply VLANs. I doubt if there is any type of enterprise level network, even in the branch-level, that would not benefit from implementing VLANs. I sincerely would love to hear your opinion on the matter so if you have one, please post a comment and let's start discussing.

How to Access Skype Chat History of Another Person or PC.

2012-04-26T23:56:00.000+08:00

Internet messengers (IM) indeed made the world smaller, and skype is undoubtedly the major contributor to this phenomena.

Skype is simple to use, and hard to block. With skype, you can do free calls and videoconferencing; share your desktop; and, share files such as documents and photos with any other skype users anywhere. Skype has the ability to use any available open port to communicate to the internet which made it a bane for traditional port-based firewalls to block (a headache for most network engineers).

But is skype safe?

We can download various tools over the internet to sniff through ICQ, YM, and Windows/MSN messenger chat and calls but rarely do we see tools that can do the same for skype. Skype's chat history and voice calls and logs are encrypted -- but that doesn't mean they are hack free.

Given the proper privileges and access to the network, UCSniff (http://ucsniff.sourceforge.net/) can be used to eavesdrop for skype voice calls in your network.

This article will show you one procedure how you can check the Skype chat history from your (or someone else's computer). Someone who can access your computer can literally check for skype conversations, even with skype turned off. Even worse, it can be done without you knowing it!

Update: 5/10/2012: Before I illustrate how, I would just like to add that this is not (supposedly) a viable hack since by default (off-the-shelf), operating systems do not allow other computers in the network to access non-shared folders, especially program files. However, when joining computers in a domain, the default security settings are changed. IT personnel should be made aware of the risks involved and act accordingly. I tried this on two different companies corporate network with standard security implementations on domain levels, firewalls, etc. and the procedure was successful. At least the inter-VLAN access-lists was successful in preempting this (please check my other blog about why VLANs are necessary here).

Here's how:

1. Download Skype ChatSync Reader

2. Go to control Panel >> Folder options >> View Tab. Tick "Show Hidden Files and Folder" and uncheck "Hide protected operating system files".

3. Navigate through the following (by typing it in run, or simply using windows explorer):

for Windows XP: C:\Documents and Settings\<user_rofile>\Application Data\Skype\<login_name>\chatsync
for Windows 7: C:\Users\<user_profile>\AppData\Roaming\Skype\<skype_login>\chatsync
If you are accessing a different computer within your network, replace "C:" with " \\<IP address or Host name>\c$". Thus the link becomes:\\<IP_address or Host_name>\c$\Users\<user_profile>\AppData\Roaming\Skype\<skype_login>\chatsync

Note: Replace the items marked with '<>' with the proper account names.

4. You will see a number of folders inside. Each folder contains chat history for a specific day. Choose one and open it. Inside, you will see a bunch of *.dat files. You can attempt to open it in notepad or any text editor and you will only see unreadable characters.

5. In the windows explorer address bar, copy the entire address.

6. Open Skype ChatSync Reader (the file you downloaded in step 1): and paste the address you copied in windows explorer in the space provided. You should be able to read the skype chat history as per the photo provided.

To protect yourself from this kind of intrusion:

1. Disable Skype chat history. Open Skype. Click Tools >> Options. In the left panel, choose Privacy. Then, on the right panel, click show advanced options. Under 'Keep history for' dropdown box, choose never, then click on "Clear History".

2. Do not share your folders unwarranted. Do not play around with your file permission. Better yet, do not make your account an administrator (if you need to, have another administrator account but use a normal account in your daily activities).

3. Always make sure you have a workstation firewall enabled. For Windows 7 users, do not disable UAC (Use Account Control) settings.

4. For domain environments: make sure proper GPOs on securing folders are in place. Some of the basics are: (a) do not allow changing of folder options; (b) do not allow sharing of system files; (c) no administrator access to all computers except local login; disallow escalated privileges/permissions/rights.

5. It is hard not to provide local IT with escalated privilege. If it is necessary, ensure that proper guidelines and audit mechanisms are in place.

*Special thanks to my friends who shared this with me, and helped me prove this procedure is viable.

Practical SSH Tunneling: Using Putty to Bypass Web Filters and Firewalls

2012-04-14T00:16:00.003+08:00

About SSH v.2 and SSH tunneling

SSH (Secure Shell) was an Internet Task Force (IETF) protocol for encrypting traffic to access a remote host. SSH v2 standard came out in 2006 and is incompatible with SSH v.1. Version 2 uses Diffie-Hellman (DH) key exchanges to create a tunnel between a client and a server. Thus, SSH works very similary like a VPN and was, in fact, called a poor man's VPN. SSH has lower levels of security and encryption than VPN. Apart from that, I don't really know the exact difference between an SSH tunnel and a VPN and if you happen to do, please feel free to post a comment or link to your blog/article that explains SSH versus VPN.

SSH v.2 is both a boon and a bane for network engineers. I've been using SSH v.2 to do a myriad of things, some of which to purposely circumvent network policies that would normally disallow people to access other parts of the network. For this article, we will use SSH tunneling to bypass corporate firewall and webfiltering. This is possible using any Web Socket capable browser such as Mozilla Firefox and Opera (I've heard Google Chrome will support it soon).

Using SSH tunneling (only possible with SSH 2), we can 'piggy-back' traffic bound for different ports and redirect them to another destination which, your computer may not be allowed, but the remote server connected via SSH, can. Among the most common uses of SSH tunneling are:

1. As a proxy server to bypass your local web filtering;
2. As a poor man's alternative to VPN -- make other people connect to another computer your computer normally cannot communicate to,
3. to create IMAP connections to an email server,

Disclaimer: This article is to show how SSH can possibly compromise network security. I do not encourage anyone to use SSH as a proxy, nor do I espouse a culture where one arbitrarily bypasses network security at will without any contructive purpose (to hack just because you can). A network or security engineer can always use UTMs, access-lists, firewalls, IPS, etc. to block SSH connection to and from a network.

How to use Putty to configure SSH tunneling and bypass the firewall and URL web-filtering.

For this to work, you will need Putty (download at: http://www.putty.org/). You can also use any other SSH client programs such as bitvise tunnelier, but note that the screenshots below show Putty. You will also need a server which you can SSH to. This server should be outside your company's network (e.g. home computer, another website, friend's router, etc.)

1. Open Putty. In the main window, under host, type the IP address or hostname of the server you will be connecting to via SSH.

2. At the left side of the screen, click connection >> SSH >> tunnel. In the 'Source port' enter 8080 (or any port number you wish that is above 1028). Leave the 'Destination' blank but choose the radio buton 'Dynamic'. Click Add. Then, at the left side of Putty, navigate back to session (where you were before when you typed the hostname or SSH server's IP address), and save the profile. Finally, click 'Open'.

3. After you clicked 'Open', a black box appears showing your SSH session is successful. you will have to enter the remote server's SSH login credentials (username and password). Make sure you are logged in to the remote server.

4. Once connected to the remote server via SSH, open Mozilla Firefox. Under 'Advanced' tab, choose 'Network'. Inside the 'Cnnection' box under the Network tab, click settings. A new menu box will then appear. Fill the boxes up as shown in the photo below, except that under port, you should put in the port you put in the SSH >> tunnels configuration box before you made the SSH connection in Putty. in our case, it was port 8080.

5. Close all dialogue boxes (but keep the putty SSH connection open). You can now surf using Mozilla Firefox without being filtered by your corporate firewall.

If you are going to use SSH tunneling for something else apart from using it as a web socket proxy, remember step number 2 above. This time instead, check all boxes, and choose the "Local" radio button instead of "Dynamic" radio button. In the "Destination" textbox, enter your destination in the format <ip address>:<port number>. Thus, if you are connecting to the remote server's MySQL port (port 3306) for example, you put <IP Address>:3306. Save the session, then repeat steps 3-4. You should be able to use the new port pairing as your redirection pair. That is, if you connect to your local computer's IP address via the <source port> you will instead be redirected to the <destination server:port>.

We can give more examples in our next posts. If you have questions and need some examples, feel free to post it under comments.

Paypal Spoof: How I knew the Paypal email I recieved was fraudulent

2012-04-11T23:16:00.000+08:00

I had a recent experience with email spoofing involving Paypal, and I would like to share how I recognized the email as spoofed and thus was fraudulent.

My wife was selling her Macbook. Like most Gen X/Y couples do, we posted her for sale Macbook on eBay, and other trading sites. Two days later, we received an email from someone with a yahoo account asking what the prices would be in US dollars, including shipment to Nigeria. He didn't give a name and he didn't leave a shipping address. We told him the price would be US $450, but that he will have to shoulder the shipping cost depending on the address, and his favored shipping method/company would be. He said he wants to transact via Paypal, and even offered to up the price to US $580 including shipping cost -- what generosity.

So that night, I sent him an invoice from my Paypal account. 24 hours past and I received a notification claiming to have come from services@intl.paypal.com informing me that payment had been made. Careful examination reveals it was a spoofed/phishing email. He was bamboozling me! Here's how I immediately knew it was fake (click the picture to enlarge):

1. The email address was spoofed. Email spoofing is when one attempts to hide the true email that was used. In an email header, the email address is shown as "My Display Name <my@email-address.com>" Thus, in my supposed Paypal payment notification email the display name is "services@intl.paypal.com" which coincidentally is the email where correct Paypal notifications are sent with. The email address with which it was sent with (inside the "<>" characters) was customerservice@accountant.com (not a correct email for Paypal). BUT, when you reply to this email, you will have a reply to email address of "customer_agency@consultant.com! So which is which? Highly suspect indeed.

The General Rule: Reputable websites have the same web name, email address, email address display name, and any other name they have in the web. These companies go out their way to ensure they have a single name-presence in the internet. They pay money to buy all domain names relevant to their canonical (aka commonly used) name. Besides, search portals such as Google works best with consolidated domain names. It doesn't make sense for these websites to use any other name.

2. PENDING status?? As far as I know, there is no notification for a pending status in Paypal. I don't think there ever was. I admit though that I may be wrong, so I examined other fields as well.

3. Payment approved but not reflecting in Account until shipment tracking confirmation was sent? I was using Paypal for quite some time and I never saw that particular status. I don't think this status ever existed.

The General Rule: When in doubt, open your Paypal account and check the status directly there. Your paypal account should contain the correct status. Just to be sure, wait a few hours (sometimes they take time to update). In my case, I waited a day. But the status still remains "unpaid" and even "Overdue". This rule applies to all other web-based portals and payment tools. Don't click the link nor trust the email. Go directly to the payment portal website the old-fashioned way -- by typing the URL in the URL bar. That should be safe -- at least until the site itself was hacked or their domain name was hijacked.

3. Questions? Contact our customer center at customer_agency@consultant.com. We discussed domain names in the first item. This is suspect. why wouldn't their customer center be customer_center@paypal.com? But what really caught my eye was the fact that the original Paypal account never encouraged recipients to reply to their emails. They instruct Paypal account owners to login directly to their paypal accounts and check the status there. They tell Paypal users to instead use their online help center inside their Paypal accounts. In fact, they give you all other options to contact them but explicitly tell you not to reply to their emails.

The General Rule: This is the golden rule when transacting online. Be familiar with how your online payment sites work! Be a killer for details. After all, its your money. If you're using your bank's online banking facility, ask the bank what normal notifications should look like. Be familiar with every detail on the email invoices and notifications. Ask your friends what their invoices and notificaitons would normally look like and check if yours is suspect. Most importantly, when in doubt -- do not transact online.

I immediately forwarded this email to spoof@paypal.com and they replied a day later confirming my suspicions. I was glad I waited. Be careful with these kind of transactions because the supposed buyer harasses you via email demanding the shipment tracking details claiming they already paid. They know that the next 48 hours is crucial. If they don't close the con within 48 hours, chances are they will be caught. Thus in my case, the supposed buyer even threatened to report me to the FBI for allegedly defrauding him of US $580.00.

Detecting fraud is more akin to social skills rather than with one's technical skills -- and that is true when doing online transaction as it is true when transacting with people face-to-face. The fact that my supposed customer was overtly generous should have already made me suspect him. You can be generous with charities. You can be generous with family. But will you offer unsolicited generosity on a faceless online seller you didn't know? Also, him not telling us what his real name was a major red flag.

It takes great effort to lie. That's why we call cons artists. But lying in the internet is easier due to the faceless interaction. Then again, there are ways we to catch one fraudulent transaction over the internet. Even over the web, transactions are still personal. Follow your gut, have the sense that is common to all, study the person/company/website you are transacting with, be a sucker for details; and, when in doubt, don't.

Diablo III Will Be Available in Manila Stores May 15

2012-04-08T11:18:00.000+08:00

Diablo III will hit stores in Manila, Philippines May 15, 2012 – the same day Blizzard announced the much-anticipated sequel to its successful Diablo series in North America.

I can’t help it. I just have to blog it. I was hoping to write something else – something more attuned with my network engineering blogs. Then it happened. I was walking at the Annex of SM North Edsa with my wife when I saw a box of Diablo III prominently in display on ‘i-Tech’ (I know, it seems hip nowadays to name everything with an ‘I’: like i-Surprise, or i-Eager ; but that’s for another blog). The shop was offering reservations for P500.00 (~US $12.00). Prudence got the better of me and held back on the reservations since the shop can’t give me any specific price for the retail yet. The shopkeepers was ‘guessing’ that the retail price is somewhere in the P2,500 range (~US $59.00). If that would be true, then the price is less than Starcraft 2, Wings of Liberty that I bought for about P3,000.

It had been more than a decade since I last played Diablo II. I was at the University then, I was constantly juggling playing through Starcraft, Diablo and Counterstrike – that is, I would play any of the three depending on what my other ‘team mates’ would like. When you grow tired of playing the standard game, play hardcore – just make sure you immediately pull the power off the PC when your character is about to die. Better yet, play around the platoon of character editors available and give your Barbarians ‘Paladin auras’, or your favorite characters all the money and items you can ‘create’.

I loved of all of it – the good and the bad. I loved the boring game mechanics of hacking through a throng of enemies to level up; the single story line; the simple and un-unique way of building your character classes; and, the single game play view. I can go all day about how many other role-playing hack and slash games there are at the time, but Diablo is the game we play – I don’t know why, but it’s just it. The same way people liked Mario and Luigi perhaps. Diablo was not the best in its genre in terms of game-play mechanics, story plot, or visuals. But it was engaging. For us back then in 1999-2000, Diablo II was among the best of its kind.

Diablo III will be true to its classic form. A hack and slash genre of game that features five (5) character classes. Of the five character classes, only one character class will make a comeback. The Barbarian class debuted in Diablo II and is now back in third installation of Diablo. All the other four characters are new. In my humble opinion though, they seem to be rehashes of the old character classes.

I was a little disappointed that the Paladin, a mainstay in past Diablo series, is absent in Diablo III. You would have loved the way it hacks and slashes through all those bugs. He is the beacon of light in the middle of a swarm of insect-like things (more like cockroaches). He just can’t be killed. I was hoping the new class Demon-hunter would be like the Paladin but more mean-bad-ass type. However, the Demon-hunter is more like an archer/hunter type of class. In fact, Blizzard seems to have removed any cavalier knight-type class in Diablo III! Nevertheless, this would definitely be the character class I will try first in Diablo III.

The Witch doctor seems to imitate the makings of the Necromancer class but Blizzards is fast to clear out that the Witch Doctor is not meant to replace the latter. Blizzards, even hinted that the dead-animating spell-caster might return in subsequent expansions of Diablo III. The Wizard looks like a version of the Sorceress (or Sorcerer in Diablo I) with most of its spells based on the elements.

Now the Monk is an all-new class altogether. Blizzards characterization of Monk as a character capable of “rapid-fire attacks unarmed or with a variety of well-balanced weapons”. After I grew tired of the demon-hunter, I’ll try this out. I am guessing this is the new class to beat in PvP.

The new game mechanics is also a welcome change. All character classes can now be started in any gender (male or female). Each character now has a group of abilities that require other ‘sources of power’ other than mana. I’m not sure how this works but the way it’s described, it is a potential way of making each character builds unique. I’ve heard that Blizzard has customized a new graphic engine and will not be using the old Havoc engine.

Deckard Cain also makes a comeback. He should already be an immortal – having been present in all Diablo series. It would be good to have a secret level where players can control Deckard Cain. Perhaps Blizzard can include a three-level dungeon where players can level-up, equip, and smash through enemies using the Deckard Cain. That is wishful thinking but still nice to have in future expansions.

You can check more of Diablo III on its official website at http://us.battle.net/d3/en/.

If you do not have a WOW annual pass (because if you do, you can get Diablo III free), you can call i-Tech at +632 332 2871 to make a reservation for P500. The store’s not mine so I don’t get anything for posting them.

Come on guys (and gals). Don’t play copyright-infringed copies of the game (aka pirated). We had fun in our days but now, I’m sure we can spare some few bucks for it. After all, if it is really good, it is worth buying. If not, why bother? J

Interconnecting Different Sites Using VPN Hairpinning with Cisco ASA Sample Configuration

2012-04-06T21:17:00.000+08:00

This is my first post in my newly created blog and I thought of sharing a project I did back in 2007. I was then working for a Danish company who have offices, and clients, in North America, South America, Europe, Asia, and Africa (North and East Africa to be more specific).

The problem was how to interconnect all our offices and clients in these 5 continents fast, and inexpensively. We had support centers in Denmark, US and the Philippines and all our support personnel, and subject matter experts need to have access to the company's servers and systems deployed inside client's data centers scattered worldwide. We need to be able to SSH the servers; access the web and databases of the system; and, access server iLO (HP servers' integrated lights out) and KVMs. The inexpensive and fast, yet secure solution, is VPN.

VPN is fast to deploy, is secure, and -- as most finance directors would like -- inexpensive. Do note that VPN is not the best solution when involving latency-sensitive traffic such as VoIP, and videoconferencing. For brevity, I did not include all other ASA configurations such as hostname, domain, and Firewalls. We will only show the VPN configurations and other relevant configuration lines.

The Scenario:

A certain Company ‘A’ has a Regional Office Headquarters (RoHQ) in Singapore that needs to access servers and systems deployed to a client in the US. Company ‘A’ has a contact and support center in the Philippines who also needs to access the system deployed in our US-based client. As is the usual case, both companies agreed that their respective networks should be NAT-ed to a public IP address.

The setup is illustrated in the diagram above. Our objective is to make the Local Area network (LAN) 10.5.0.0/16 in Philippines, be able to communicate with Singapore’s LAN at 10.1.0.0/16. Both the Philippines and Singapore offices should be able to reach the system deployed in our US-based client whose 'NAT' IP address is 111.22.33.49. All IPs communicating to 111.22.33.49 should be NAT-ed to 202.11.22.34. For simplicity, no NAT should be applied for Company ‘A’’s traffic from and to Singapore and the Philippines.

As already mentioned, our solution is to interconnect all sites using VPN hairpinning over a hub and spoke topology. Traffic from the Philippines will be routed first to Singapore whose VPN concentrator processes the packets, and forwards them to the US-based client when applicable. The Singapore RoHQ network in this scenario is the hub while the Philippines and US-based client as the 'spokes'.

Here is the configuration for the topology shown above. Command lines starting with ‘!’ are comments or documentations. They serve as guides and instructions for us to understand the reason why each line of the configuration was given.

1. Relevant VPN Configuration for ASAFWSG1

!First, we configure the interface names.

!this is how ASA works –

!by interface names and security levels

Interface Ethernet0/0

Description #TO INTERNET#

Nameif outside

Security-level0

IP address 202.11.22.33 255.255.255.240

Interface Ethernet0/1

Nameif inside

Security-level 100

IP address 10.1.0.254 255.255.255.0

!As discussed, hairpinning works by routing traffic...

!through the same interface

!thus it is necessary to allow same-traffic intra-interface.

Same-security-traffic permit intra-interface

!Now we define the VPN. There are two VPNs, one to ASAFWPH1

!and another to Client US (host name not provided)

!Let us start by defining the Encryption Domains…

!(aka CryptoAccess-List)

!Notice the presence of both US and SG…

!subnets in both Crypto ACL, and their NAT IPs

Access-list TO_ASAFWPH1 extended permit ip 10.1.0.0 255.255.0.0 10.5.0.0 255.255.0.0

Access-list TO_ASAFWPH1 extended permit ip host 111.22.33.49 10.5.0.0 255.255.0.0

Access-list TO_US-CLIENT extended permit ip host 202.11.22.34 host 111.22.33.49

!Next we define the VPN profiles

Crypto ipsec transform-set AES128-SHA esp-aes-128 esp-sha-hmac

Crypto map VPN-OUT 1 match address TO_ASAFWPH1

Crypto map VPN-OUT 1 set transform-set AES128-SHA

Crypto map VPN-OUT 1 set peer 122.33.22.11

Crypto map VPN-OUT 2 match address TO_US-CLIENT

Crypto map VPN-OUT 2 set transform-set AES128-SHA

Crypto map VPN-OUT 2 set peer 111.22.33.44

Crypto map VPN-OUT interface outside

Crypto isakmp enable outside

!Notice that there is only 1 crypto isakmp policy.

!the phase 1 policy profile is only needed configured once.

!All other VPN connections can re-use the ISAKMP phase1 policy

Crypto isakmp policy 1

Authentication pre-share

Encryption aes-128

Hash sha

Group 2

Lifetime 86400

Tunnel-group 122.33.22.11 type ipsec-l2l

Tunnel-group 122.33.22.11 ipsec-attributes

Pre-shared-key S@mpl30nlY

Tunnel-group 111.22.33.44 type ipsec-l2l

Tunnel-group 111.22.33.44 ipsec-attributes

Pre-shared-key @$@gr33dW!thCl!3nT

!Now that the VPN is already configured for both…

!we will configure NAT

!But first, we will have to define the access-list…

!that defines what segment will be NAT-ed and what not

Access-list NAT_EXEMPTION extended permit ip any 10.5.0.0 255.255.0.0

Access-list NAT_TO_US-CLIENT extended permit ip any host 111.22.33.49

!Now we define the NAT by mapping the nat to a ‘global’ policy

!This is the NAT for the internet corporate users. ALL USERS

nat (inside) 10 0.0.0.0 0.0.0.0

global (outside) 10 interface

!In ASA Nat 0 means that no NAT will be applied

nat (inside) 0 access-list NAT_EXEMPTION

!This is the NAT that applies for Client-US bound traffic

global (outside) 2 202.11.22.34

nat (inside) 2 NAT_TO_US-CLIENT

!Here is a ‘NAT-deflection’ configuration

!This is needed because you will have to NAT…

!traffic from Philippine Branch inbound to Client-US

nat (outside) 2 NAT_TO_US-CLIENT

2. Relevant VPN configuration for ASAFWPH1

Interface Ethernet0/0

Description #TO INTERNET#

Nameif outside

Security-level0

IP address 122.55.19.33 255.255.255.240

Interface Ethernet0/1

Nameif inside

Security-level 100

IP address 10.5.1.254 255.255.255.0

!The configuration only mirrors that in ASAFWSG1 appertaining…

!to configurations directed to PH

Access-list TO_ASAFWSG1 extended permit ip 10.5.0.0 255.255.0.0 10.1.0.0 255.255.0.0

Access-list TO_ASAFWPH1 extended permit ip 10.5.0.0 255.255.0.0 host 111.22.33.49

Crypto ipsec transform-set AES128-SHA esp-aes-128 esp-sha-hmac

Crypto map VPN-OUT 1 match address TO_ASAFWPH1

Crypto map VPN-OUT 1 set transform-set AES128-SHA

Crypto map VPN-OUT 1 set peer 202.11.22.33

Crypto map VPN-OUT interface outside

Crypto isakmp enable outside

Crypto isakmp policy 1

Authentication pre-share

Encryption aes-128

Hash sha

Group 2

Lifetime 86400

Tunnel-group 202.11.22.33 type ipsec-l2l

Tunnel-group 202.11.22.33 ipsec-attributes

Pre-shared-key S@mpl30nlY

!NAT EXEMPTION also needs to be done.

!Notice that even traffic to US-CLIENT is NAT-EXEMPTED

!Traffic to US-CLIENT will be NAT-ed in ASAFWSG1

Access-list NAT_EXEMPTION extended permit ip any 10.1.0.0 255.255.0.0

Access-list NAT_EXEMPTION extended permit ip any host 111.22.33.49

nat (inside) 0 access-list NAT_EXEMPTION

nat (inside) 10 0.0.0.0 0.0.0.0

global (outside) 10 interface

3. Relevant VPN configuration for US-CLIENT

!Again, the configurations are the same

!For brevity, we will include only the VPN…

!and NAT configurations

!Besides, we normally do not really know the VPN…

!configurations on the client side.

Crypto ipsec transform-set AES128-SHA esp-aes-128 esp-sha-hmac

Access-list TO_COMPANY-A extended permit ip host 111.22.33.49 host 202.11.22.34

Crypto map VPN-OUT 1 match address TO_COMPANY-A

Crypto map VPN-OUT 1 set transform-set AES128-SHA

Crypto map VPN-OUT 1 set peer 202.11.22.33

Crypto map VPN-OUT interface outside

Crypto isakmp enable outside

Crypto isakmp policy 1

Authentication pre-share

Encryption aes-128

Hash sha

Group 2

Lifetime 86400

Tunnel-group 202.11.22.33type ipsec-l2l

Tunnel-group 202.11.22.33 ipsec-attributes

Pre-shared-key @$@gr33dW!thCl!3nT

Access-list NAT_TO_COMPANY-A extended permit ip any host 202.11.22.34

nat (inside) 2 NAT_TO_COMPANY-A

nat (inside) 10 0.0.0.0 0.0.0.0

global (outside) 2 111.22.33.49

global (outside) 10 interface