Duncan's techie blog

blocking request range attacks on Apache

2011-09-06T05:54:00.000-07:00

There are a number of ways to block attacks using the recent request range byte attack, best of all is upgrading or patching Apache to fix the issue.

Some versions are easier than others to confgure if you can not patch or upgrade.

In particular Apache 2.0.49 does not have some of the features required such as the option to use RequestHeader with an environment variable.

Below is the code I have used to block requests with more 10 or more byte ranges or using the HEAD method to request byte ranges (as that seems a little pointless).

It also logs all such requests to a specific log file.

SetEnvIf Range (^bytes) bad-range=1
SetEnvIf Request-Range (^bytes) bad-range=1
SetEnvIf Request_Method "GET" !bad-range
SetEnvIf Range (,.*?){9,} bad-range=1
SetEnvIf Request-Range (,.*?){9,} bad-range=1
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

#Not available in Apache 2.0.49
#RequestHeader unset Range env=bad-range
#RequestHeader set Range "badrange" env=bad-range

RewriteEngine on

RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} !(^bytes=[^,]+(,[^,]+){0,9}$|^$)
RewriteRule .* - [F]
RewriteCond %{HTTP:range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]
RewriteCond %{HTTP:request-range} (^bytes=)
RewriteCond %{REQUEST_METHOD} ^(HEAD)
RewriteRule .* - [F]

I've simply put this in httpd.conf using an include file before my NameVirtualHost options and then in each virtual host I've added

RewriteEngine On
RewriteOptions Inherit

Hope its of some use!

using recaptcha with sun one (chilisoft) asp

2011-09-06T05:46:00.000-07:00

I've visited using recaptcha (captcha) with sun one asp a number of times and never got it to work but finally I worked it out and here is how.

You can use the standard classic asp code on googles web site.

http://code.google.com/apis/recaptcha/docs/asp.html

All you then need to change is one line of code

Replace

Set objXmlHttp = Server.CreateObject("MSXML.XMLHTTPRequest")

with

Set objXmlHttp = NewJavaObject("com.sun.msxml.XMLHttpRequest")

You then need to update the bean policy file and add two new lines.

/opt/casp/asp-server-3000/bean.policy

permission java.util.PropertyPermission "*", "read,write";
permission java.net.SocketPermission "*", "connect,resolve";

You then need to configure sun one asp to enable java beans and enable the java security manager via the management interface. It will prompt you to restart the asp server which needs to be done to pick up the changes.

Once thats all done your captcha code should work on sun one asp 4.0.3.

sendmail disable authentication on external interface

2010-05-06T03:00:00.000-07:00

Since we opened some of our servers to accept incoming mail we have noticed that we get a lot of AUTH attacks.

This results in messages like the following in our maillog

May 6 08:41:18 asa3 sendmail[20544]: o468f4FG020544: [189.3.123.235]: possible SMTP attack: command=AUTH, count=4

I've not found a way of simply telling sendmail to block an ip for a period when it detects more than 'n' AUTH failures.

As we don't use AUTH on the external interface as we just accept incoming email for a limited number of accounts I decided to disable AUTH on the external interface.

I edit /etc/mail/sendmail.mc and modified the Daemon Port settings as follows:-

Original
========
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl

Amended
=======
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=x.x.x.x, Name=MTB, M=A')dnl

As you can see I simply updated MTA for the loopback address and created a new MTB which tells sendmail to listen on the external IP (x.x.x.x) but disables AUTH by specifying the M=A option.

Once thats done, I simply ran make and restarted sendmail.

Everything works as before except the AUTH command is now rejected by sendmail on the external interface as can be seen below.

# telnet x.x.x.x 25
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 x.x.x.x ESMTP Sendmail 8.13.8/8.13.8; Thu, 6 May 2010 09:56:49 GMT
helo yyyyy
250 x.x.x.x Hello yyyyy, pleased to meet you
AUTH PLAIN AGptczFAam1zMS5uZXQAbm90Lm15LnJlYWwucGFzc3dvcmQ=
503 5.3.3 AUTH not available

iphone 3gs signal issues - don't buy one!

2010-03-02T02:17:00.000-08:00

I waited a long time before deciding to buy an iphone, it was the perfect choice for what I needed to do and meant I could carry one device rather than a number, it fitted by purpose for work and pleasure. I avoided jumping on the bandwagon as an early adopter and thought the 3GS would be no problem.

How wrong I was! From the moment I switched it I had signal issues, there was of course the customary run around from Vodafone and Apple, denial of issues, then a sort of acknowledgement from Vodafone of issues but still no acceptance of a fault from Apple. Anyway after a week of frustration, phone calls, emails, a trip to the apple store to see a genius and swap the phone I've had enough and returned it.

The issue.

My work is 0.5 of a mile from a mast, pretty much clear line of sight, my home is 0.9 of a mile away from the same mast.

On a normal nokia phone I get a good signal, have no issues making calls, getting texts etc.

Move over to the iPhone 3GS using the same sim and I basically can't make a call or send a text.

Sat on my desk the iPhone 3GS shows 2, sometimes 3 bars, if I am unlucky it will roam to 3G where it just has a signal. Picking the phone up results in the loss of at least 2 bars of signal within 30 seconds or so. You can see the problem can't you, lose 2 to 3 bars of signal and guess what you have no signal the call is dropped and the phone starts searching for a signal.

It appears having the phone in your hand covers the aerial and reduces the signal, hardly a clever design for a hand held device.

I also tested the same sim in a friend's iPhone 3G, sat in the same place on the desk it shows 4-5 bars much like my nokia.

Surprisingly it also exhibits the pick up issue, when in hand it loses up to 2 bars of signal depending on how you hold it. Its not of course so noticeable as you have 4 or 5 to start with so can still make and receive calls.

There is also an issue with the way both phones roam from 3G to 2G, it takes the phone an age to realise its lost its 3G signal and then swap to 2G, in my experience it normally says searching in between, so you can expect to drop a call if it happens. This can easily be reproduced by switching off your suresignal box and seeing how long after that it is before it drops the 3G signal and reverts to 2G on your local mast.

So it would appear:-

The iPhone 3GS can only be used in very high signal areas (5 bars +).
The iPhone 3G can only be used in medium signal areas (3-4 bars +).
Signal loss detection is poor and switching between 2G and 3G is poor.

Switch off 3G on a 3GS unless you are using it and are stood by a mast. The 3GS appears to strongly favour a 3G signal even when it only has one bar, if you then pick up the device you will lose your signal and it will roam to 2G. Better to have it on 2G all the time - but then why have a 3G phone!

Vodafone will offer you a suresignal box to 'boost' your signal, except it doesn't boost your signal it creates you your own mast in your house routed over your internet connection. What doesn't occur to Vodafone is that if you have a signal issue at home you likely have one down the local pub, the gym, and everywhere else you go locally. So in reality it solves nothing, probably why no one else has adopted them. It also means you somehow need to keep 1mb/s of your bandwidth free per phone, how do you accomplish that? If someone starts a large download you can forget using your phones!

After much pressing I've finally managed to be allowed to return the item to Vodafone and cancel the contract without paying a £500 early termination fee. My suggestion is you mention the distance selling act (if you bought it remotely) and the consumer protection laws (such as being fit for purpose which it clearly isn't).

Apple seem to be in denial and trying to cover the issues with the iPhone and in particular the 3GS up. My phone was swapped instantly at the Genius bar but the new one was no different. I rang the next day to see if anything could be done but other than offer a suresignal there was no alternative and although the staff member could not admit to an issue you could tell that there was and I wasn't the first to have such problems.

I'm hoping its just either a particular batch of faulty phones or a software issue that can be resolved but I fear its a physical design issue/flaw with the iPhones aerial and on the S series some form of extra interference from the faster processor. Time will tell.

For the moment and until the issue can be demonstrated to be resolved I'm returning back to my Nokia.

Sadly having done some searching on the net since it seems other modern devices like the iPhone can also suffer from similar signal loss when picked up so choose your device carefully and do some research before signing up.

backscatter with sendmail

2009-03-16T08:17:00.000-07:00

One of our mail servers recently got listed in backscatter.org for creating back scatter (Non Deliver Reports (NDR) to people who have been listed as the sender of spam).

I was pretty surprised at this as I had configured sendmail such that it should not produce back scatter.

However on closer investigation it was true we were sending back scatter.

The problem lay in the fact that we relay a few accounts to the users isp accounts. One in particular (Demon) issue a 509 if they reject the email as spam.

This was causing our mail server to send an NDR to the from address of the original email.

To solve this problem I used procmail and formail to rewrite and then forward the email rather than simply allowing sendmail to relay it.

By re writing the 'Return-Path' option it means that the NDR is sent to a local address (which is actually /dev/null) rather than the FROM address.

To do this I simply created an account for the user and then created a .procmailrc in the home directory with the following entry

:0fw
| /usr/bin/formail -i "Return-Path: postmaster@mydomain.co.uk" | /usr/lib/sendmail -f postmaster@mydomain.co.uk yyyyyyyy@myotherdomain.co.uk

postmaster@mydomain.co.uk is simply sent to 'junkmail'
junkmail is an alias (in aliases) for /dev/null

The original Return-Path can be seen in the mail header as Old-Return-Path should you ever need it.

You can verify everything is working by simply checking your maillog (and the fact you have no more NDR mail sat for days in your outgoing queue!)

If you need to monitor your mail server check out www.ippatrol.com

asa5505 top 10 feature

2009-02-23T03:33:00.000-08:00

The latest version of ASDM fails with an error when you try to enable the ASA5505 top 10 feature.

It tries to execute the command "threat-detection statistics host number-of-rate 0" which is not valid.

To enable it execute the command "threat-detection statistics" using the cli interface.

Save the config and then disconnect and reconnect ASDM.

Should now be working!

Its not always obvious its fully working as many of the windows show zero values for parameters when there is no attack.

Both issues have been logged with Cisco.

Allowing for a timeout on check_nrpe

2009-01-22T03:12:00.000-08:00

check_nrpe allows for a timeout to be set using the -t option. The default is 10 seconds. Often this might not be enough. There is no way of specifying the timeout option when configuring a host.

example
=======

define service{
use generic-service
# Hostname of remote system
host_name mynode.mydomain.com
service_description Load
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 1
# Change to your contact group
contact_groups admins
notification_options w,u,c,r
notification_interval 10
notification_period 24x7
check_command check_nrpe!check_load
}

To get round this problem simply add a new command definition to commands.cfg below the existing check_nrpe definition

define command{
command_name mycheck_nrpe
command_line /usr/local/nagios/libexec/check_nrpe -H $HOSTADDRESS$ -c $ARG1$ -t $ARG2$
}

mycheck_nrpe allows for a 2nd parameter to be passed on the service definition.

example

define service{
use generic-service
# Hostname of remote system
host_name mynode.mydomain.com
service_description Load
is_volatile 0
check_period 24x7
max_check_attempts 3
normal_check_interval 5
retry_check_interval 1
# Change to your contact group
contact_groups admins
notification_options w,u,c,r
notification_interval 10
notification_period 24x7
check_command mycheck_nrpe!check_load!30
}

The above example specifies a 30 second timeout.

Problem solved!

Cisco Pix 501 Nat Configuration

2008-07-16T04:31:00.000-07:00

After installing a Cisco Pix 501 on an ADSL connection I had great problems getting NAT to work so I could allow incoming connections to certain servers inside the network.

I was using PDM to configure the firewall and this appears to be the problem. Eventually after some research I managed to configure NAT using the command line interface.

static (inside,outside) tcp interface 25 192.168.10.2 25 netmask 255.255.255.255 0 0
access-list outside_in permit tcp any interface outside eq 25
access-group outside_in in interface outside

PDM does not appear to add the last line (or at least I can't find a way of doing it) and you end up with SYN errors in the firewall log.

Once its configured you can use PDM to add more rules as you wish and the access group outside_in is preserved. You need to configure the translation rule first and then the access rule. Easiest was is to copy and past the rules created above using PDM.

If you wish to restrict the outside access to certain servers simply replace 'any' with the ip address and subnet mask.

Configure PPTP VPN through Cisco Pix 501 Firewall

2008-07-14T03:19:00.000-07:00

I recently added a Pix 501 to my ADSL connection and all my outbound PPTP VPN connections from my Windows XP PC stopped working.

I eventually worked out how to re-enable them.

On the Pix 501 just enable PPTP fixup on port 1723.

All works!

Configure MailScanner to skip checking local mail

2008-04-14T03:46:00.000-07:00

Every day our system creates thousands of mails we send to customers and we keep a BCC so we can prove we have sent the email. Its pointless MailScanner checking these emails for virus and spam.

On checking the MailScanner configuration files I found it was very simple.

Simply edit MailScanner.conf and then change

Scan Messages = yes

to read

Scan Messages = %rules-dir%/scan.messages.rules

Then create scan.messages.rules in your rules directory and add your rules like the following example

From: /^192\.168\.12\./ no
FromOrTo: default yes

This means that any message from 192.168.12.* will not be checked

After that simply restart MailScanner, send some test messages and check the mail headers to confirm that internal messages are no longer scanned and external messages are still scanned.

For more information on rules see the EXAMPLES or README file in the rules directory.

How to configure yum to use a particular mirror

2008-03-19T10:31:00.000-07:00

So you have an out of date version of Fedora installed but you still want to make sure its as up to date as possible and Redhat (and many others) have removed the repositories. If you can find an old mirror, http://fedora.mirror.facebook.com/ for instance then you should be able to run up2date and use yum to install software.

First however you need to tell yum to look at the mirror you have found and not rely on download.fedora.redhat.com.

Go to the /etc/yum.repos.d directory.

Here you will find the definitions of the repositories. On Fedora Core 4 I commented out the mirrorlist option and added in my own values for baseurl.

$ cat fedora.repo

[base]
name=Fedora Core $releasever - $basearch - Base
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/$releasever/$basearch/os/
baseurl=http://fedora.mirror.facebook.com/linux/core/$releasever/$basearch/os/
#mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-core-$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora

$ cat fedora-updates.repo

[updates-released]
name=Fedora Core $releasever - $basearch - Released Updates
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/updates/$releasever/$basearch/
baseurl=http://fedora.mirror.facebook.com/linux/core/updates/$releasever/$basearch/
#mirrorlist=http://fedora.redhat.com/download/mirrors/updates-released-fc$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora

$ cat fedora-extras.repo

[extras]
name=Fedora Extras $releasever - $basearch
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/extras/$releasever/$basearch/
baseurl=http://fedora.mirror.facebook.com/linux/extras/$releasever/$basearch/
#mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-extras-$releasever
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras
gpgcheck=1

Now you can happily use up2date and yum.

Clearly the system is still out of date and a newer version of fedora would be better but at least you can get it to the latest update and install software as required.

If you come across an issue where yum FC4 is looking in FC3 directories then do the following:-

$ cd /usr/share/rhn/up2date_client

$ vi sourcesConfig.py and comment out the releasever="3" below #FIXME:0

Content-type application/pdf does not work using Firefox on Mac

2008-03-05T03:08:00.000-08:00

Today we had a customer complain they could not open our invoices which are pdf's produced via a cgi script.

It quickly became apparent that it only happens in Firefox on a Mac. Firefox on other platforms has no issues, nor does Safari on a Mac.

A quick google uncovered this known bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=416094

It appears firefox on Max ignores the Content-Type header and will only automatically open a pdf when presented with a .pdf file extension.

I managed to 'solve' the problem by adding the following http header to the output.

Content-Disposition: inline; filename="invoice.pdf"

This just tells the browser the default file name and thus gets round the issue. Still works in IE and Firefox on a PC and fixes the issue on a Mac.

IE7 Upgrade Woes

2007-12-21T02:20:00.001-08:00

Well although I generally use Firefox I had to upgrade to IE7 today as a customer has spotted a problem with our website (www.ippatrol.com) whereby a redirect was looping.

It turns out IE7 is a little more picky about the REFRESH meta tag.

In all previous versions of IE and Firefox the following worked.

<meta equiv="REFRESH" content="1; anotherpage.html">

Under IE7 this just causes the page to constantly refresh. Adding the URL option fixes the issue.

<meta equiv="REFRESH" content="1; URL=anotherpage.html">

I've also seen comments on various blogs that this tag doesn't work or is disabled in IE7 and that somewhere in IE7 is an option to turn support on and off. I haven't seen this issue but then I only redirect internally within the site so perhaps it only takes affect when you redirect off site.

Just in case I've added some javascript code to do the redirect as well. Hopefully one or other method will fire otherwise the visitor can click on the link displayed to get to the contact page.

The second issue I had with IE7 was that PDF's no longer worked and just came up with a page error saying object required.

I quickly guessed this might be because my Acrobat Reader was also well out of date (V6.0.2 from 2004) even though it works fine in Firefox and worked in IE6.

So I bit the bullet and upgraded to Acrobat Reader V7.0 and now both Firefox and IE7 work with PDFs.

I have to say I am quite impressed with the speed of IE7 and the speed of the new version of Acrobat Reader. There are a few enhancements in IE7 most of which are just catching up with Firefox plus a few others which are useful if annoying such as the certificate checker/warnings and the fact that such errors are displayed on the address bar if you decide to ignore them - a nice reminder.

I did however notice that the IE7 pop up blocker is turned off by default which I find a little odd. The phishing facility warns you that its not turned on the first time you start IE7 but for some reason the pop up blocker doesn't - not very consistent or helpful.

Sendmail backup mx relay

2007-12-10T02:45:00.001-08:00

I have used sendmail for a number of years. We use it on our main mail server and on our backup mx servers.

Up until recently we simply allowed the backup mx servers to relay all mail to the domains they serve. Unfortunately spammers tend to target backup mx servers in the belief they are less well protected.

One of the side effects of this is that you end up accepting mail for lots of invalid addresses, which not only results in more spam (as the spammer thinks the address is valid) but also means you then end up trying to send non delivery receipts to some random reply address when the backup mx tries to deliver the mail to the main server and gets refused as the address doesn't exist.

I finally worked out that there is a nice feature in sendmail to only relay certain addresses thus refusing all the other junk and preventing the erroneous non delivery receipts.

By default we used to add the following to out access database

TO:dcl.co.uk RELAY

which simply means relay all email addressed to the domain dcl.co.uk

It is possible to be more selective but first you have to add the following to your sendmail configuration (sendmail.mc). Suggest you save a copy of sendmail.cf first for later comparison.

dnl #
dnl #Use access db with undocumented feature
dnl #
define(`_RELAY_FULL_ADDR_', `1')

Then do a make. Compare your new sendmail.cf with your old one just to ensure you've not lost anything.

You can now specify specific email addresses in the TO field rather than just the domain.

It means you have to remember to update your backup mx servers whenever you add or remove an email account but that is a small price to pay for the empty mail queues. I guess you could easily automate it.

Don't for get to rebuild your access database once you've edited the text file.

# hash /etc/mail/access.db < /etc/mail/access

PS. I also set DoubleBounceAddress to nothing (O DoubleBounceAddress=) to get rid of all those non delivery receipts of non delivery receipts!

TCP Window Scaling

2007-12-08T12:31:00.000-08:00

It appears the lastest versions of Linux and Windows both enable TCP windows scaling by default. This in itself shouldn't present a problem and should improve connection speeds to sites as larger tcp packets can be negotiated.

If however the site you are trying to access if behind and old firewall or router then you might find after upgrading to Windows Vista or a recent version of Linux (Redhat 6 for example) that some sites either crawl along or simply fail. This doesn't necessarily mean your computer is at fault. It could be your router - when did you last flash the rom?

But it could mean that a firewall or router sat somewhere between you and the site is causing the issue.

If you want to prove that its tcp window scaling causing the problem you can turn it off and see if it 'solves' the problem. If it does I suggest you get in touch with the site owner and ask them to get their firewall or router upgraded. Don't forget to turn Windows Scaling option back on after!

How to disable in Windows Vista and Linux
See Wikipedia for more details

Cisco firewall dns packet size setting

2007-11-29T02:23:00.000-08:00

I recently noticed that our cisco firewalls were denying dns packets being returned which are greater than 512 bytes in size.

On investigation this is the default setting on Cisco PIX and ASA firewalls and used to be correct as per the RFC for udp dns packet sizes. Over this size TCP packets used to be used. Due to the overhead of using TCP and various security issues it appears eDNS was invented to allow larger UDP packet sizes.

From what I can determine there is a flag passed when a dns server requests a lookup indicating whether it accepts Edns and its maximum packet size. If your firewall is configured to a different value there will clearly be issues as it will deny the valid packet that is returned.

BIND appears to cope with this situation by reverting back to a packet size of 512 if the initial query fails. I've not found out what Windows does if this happens but you would hope it does the same.

A bit of research shows this feature was implemented in Windows 2003 with a default edns packet size limit of 1280 and in Bind 9 with a default packet size of 4096.

So if you are using these dns servers you may want to adjust your firewall settings accordingly or research what your dns server does and what its default value is.

BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size. It also sets DO EDNS flag bit in queries to indicate that it wishes to receive DNSSEC responses. Most older servers that do not support EDNS0, including prior versions of BIND, will send a FORMERR or NOTIMP response to these queries. When this happens, BIND 9 will automatically retry the query withoutEDNS0.

You can configure both dns servers not to use edns and you can configure the maximum packet size but I guess the easiest option is to configure your firewall correctly.

Fedora Core 8 Network Install (no dvd available)

2007-11-23T08:36:00.000-08:00

Since Redhat Fedora Core 8 (FC8) only appears to come on DVD and not on CD any more its a bit of a problem to install it on older systems with no DVD.

You can either install directly over the internet or download the iso and serve the files locally via your own http or ftp server.

Using download.fedora.redhat.com (or a mirror)

Creating your own server (skip if you are going to install over the internet)

Download the full dvd iso.

Then either burn it to a dvd and configure your web server/ftp server to allow access to the dvd or copy the files off the dvd to your web server/dvd server. Alternatively extract the files directly from the iso to a directory on your web server/ftp server (I used winrar on windows and then used windows personal web server to serve the files).

Create a boot disk

Download the Fedora Core 8 Rescue Disk iso image from (/pub/fedora/linux/releases/8/Fedora/i386/iso) and burn this on to a CD.

Boot and Install

Boot the server where you want to install FC8 from the Rescue Disk.

When it boots choose Install or upgrade an existing system from the menu.

Select the language and keyboard type from the menu.

You can then choose to install from Local CD/DVD, Hard drive, NFS directory, FTP or HTTP

Choose HTTP or FTP as appropriate and fill in the details.

In my case I used Http so I then input just the ip address of my web server and the directory containing the unpacked iso image. If you are using a service over the internet then you need to target the 'os' directory (/pub/fedora/linux/releases/8/Fedora/i386/os).

The install should then detect the 'disk' and offer the option to check the media (say no!). Proceed as normal with the install.

Notes:

You can also use boot.iso (minimal boot) or diskboot.img (usb stick) to boot and start the install (These can be found in fedora/linux/releases/8/Fedora/i386/os/images on any mirror.) but its always worth creating the rescue disk just in case you ever need to rescue your server. Leave one next to the server!

How to get Cisco VPN working on Vodafone

2007-11-17T18:33:00.001-08:00

If you are using vodafone mobile broadband or dialing up via your mobile you may wish to connect to the office via vpn. If this is using a firewall such as the Cisco ASA devices you may find it connects but then you can not do anything.

Firstly you need to ensure that NAT-T is enabled in your IKE global parameters. Its in the VPN tab on ASDM under IKE - Global parameters.

Next you must ensure NAT-T is enabled in your IPSEC rules for your dynamic vpn connections. Its on the IPSec - IPSec Rules tab, and you need to tick the NAT-T box for each of your dynamic VPN rules.

You should now be able to connect and access your services via Vodafone.

If you notice that you can now only access things at the office and no other sites (such as google for instance) then you are probably sending all your internet traffic to the office instead of just that which is relevant to the office.

So you need to set up a tunnel rule.

The best way is to create a new Group Policy on the firewall (or edit the one you have already set up for remote connections). When you create the new Group Policy leave everything set to inherit except for Split Tunnel Policy and Split Tunnel Network List on the Client Configuration tab.

Set Split Tunnel Policy to 'Tunnel Network List Below'.

Then click on the Manage button below that.

You should get a pop up window called ACL Manager with no entries defined.

Click on Add, Select Add ACL, when prompted for ACL Name, enter a name for your ACL such as SplitTunnelList. Click on the new ACL you added then click on Add again and this time select Add ACE.

Enter the IP Address of your internal network, in this example its 192.168.2.0 and then enter the network mask, in this case 255.255.255.0. Ensure Permit is ticked.

Finally select your remote access Tunnel Group and assign it the new Group Policy. Save all the settings and reconnect via vpn. Your office traffic should still work but you should also be able to surf the internet directly via your own connection.

Basic - How DNS Works

2007-11-17T17:51:00.001-08:00

In this article I will try and explain the basics of DNS, what it is, what you use it for and how important it is.

DNS is basically a set of records that allow a name you enter in a browser such as www.ippatrol.co.uk to be converted into a numeric ip address that a computer can understand and use to connect to the actual web server.

You can in many cases just use the ip address but that would be hard to remember and if it changes you will be lost so we use dns to make things easier to remember.

DNS is comprised of a number of different record types some of which I explain below.

An 'A' record is something like www, added to your domain (ippatrol.co.uk) it gives an easy to remember url www.ippatrol.co.uk. When you enter this in your browser your pc use dns to translate the 'A' record to the ip address of the web server server, requests the page and displays it.

An 'MX' record is an incoming mail server record, you normally have more than one, each has a priority. Mail will go to the lowest priority if this fails it will try the others in order. So when you send an email your isps mail server finds the mx record of the receipients mail server, gets the ip address and then connects to that server to send the email.

a 'CNAME' is a conical name and basically just points at another name (A record), it can make maintenance easier as you then may only need to change one 'A' record but I generally don't use them.

So instead of defining ftp as an 'A' record you may make ftp a cname pointing to say www so when its looked up it looks at the record for ftp, finds its a cname, looks up www and gets the ip address of the server.

A lot goes on in the background to look up a dns entry. First we have to query the root name servers (the heart of the internet), to find out which top level domain servers will help to answer your lookup.

so for instance to lookup www.ippatrol.co.uk we need to know who provides uk responses

host -t ns -d uk

;; ANSWER SECTION:
co.uk. 170706 IN NS ns6.nic.uk.
co.uk. 170706 IN NS ns7.nic.uk.
co.uk. 170706 IN NS nsa.nic.uk.
co.uk. 170706 IN NS nsb.nic.uk.
co.uk. 170706 IN NS nsc.nic.uk.
co.uk. 170706 IN NS nsd.nic.uk.
co.uk. 170706 IN NS ns1.nic.uk.
co.uk. 170706 IN NS ns2.nic.uk.
co.uk. 170706 IN NS ns3.nic.uk.
co.uk. 170706 IN NS ns4.nic.uk.
co.uk. 170706 IN NS ns5.nic.uk.

then we ask one of those servers for the domain's (ippatrol.co.uk) dns servers.

host -t ns -d ippatrol.co.uk ns6.nic.uk.

ippatrol.co.uk. 172800 IN NS ns1.dcl.co.uk.
ippatrol.co.uk. 172800 IN NS ns2.dcl.co.uk.
ippatrol.co.uk. 172800 IN NS ns3.dcl.co.uk.

In this case there are 3.

Once you have the name servers you can then lookup the record you want

host www.ippatrol.co.uk ns2.dcl.co.uk.
Using domain server:
Name: ns2.dcl.co.uk.
Address: 85.13.195.78#53
Aliases:

www.ippatrol.co.uk has address 81.201.137.96

Its actually a bit more involved than that but thats the basic idea.

You could always lookup a few domains on somewhere like dnsreport.com to see how they are set up.

You should try and ensure your dns is hosted by a reliable dns host. Unfortunately most people just rely on the free service provided by their domain registrar, spend thousands on their web site only to find the dns service is unreliable and people can't find their web site.

Be aware DNS is cached (to speed up the internet) in your browser, on your pc and on your isps's dns servers. So you may be able to access your site, but your dns servers may be down and other visitors may not be able to access it. You will only see the problem when your cache expires. So check your dns out somewhere like checkdns.net if some reports a problem.

Your dns provider should provide at least 2 dns servers (in case one fails). They should be located in different data centers so that an outage at one place does not affect your dns service.

Finally they should really be located in the country where your servers are or where your customers are, beware some dns providers who appear to be located in the UK are for instance located in North America.

A simple traceroute to their name servers should clarify the situation. The best thing to do is ask your potential dns provider all these questions.

Before registering a domain check out their dns service and also check how much it costs to transfer away from the registrar if you need to. It should be possible to do everything yourself from a control panel without their intervention. If they don't allow this or charge you for releasing your domain then avoid them like the plague.

Finally once you have configured your dns check its correct using a free service like dnsreport.com and do this every time you update it. To do a one off test of your dns, web site and mx records try checkdns.net.

Once everything is working signup with ipPatrol (www.ippatrol.co.uk) and get your web site monitored 24x7 with instant alerts via email and sms so you know when it stops working and can get it fixed before your customers notice or you start losing business. Don't rely on your isp to do this, most don't do effective monitoring (they just ping the server) and even less will tell if a problem has occurred.