theterranaut

Forum Replies Created

Viewing 30 posts - 31 through 60 (of 111 total)
  • Author
    Posts
  • Avatar
    theterranaut
    Member
    in reply to: CISCO PIX515 and email (exchange) forwarding #285865

    Re: CISCO PIX515 and email (exchange) forwarding

    OK. Here’s your config: relevant parts remain, I’ve removed the bumf:

    Internal address= a.b.c
    External= d.e.f



    nameif ethernet0 outside security0
    nameif ethernet1 inside security100

    fixup protocol smtp 25

    names
    name a.b.c.31 dbyexch01
    name d.e.f.121 Firebrick

    interface ethernet0 auto
    interface ethernet1 auto

    ip address outside d.e.f.122 255.255.255.252
    ip address inside a.b.c.2 255.255.0.0

    arp timeout 14400

    global (outside) 200 interface
    nat (inside) 200 0.0.0.0 0.0.0.0 0 0
    route outside 0.0.0.0 0.0.0.0 Firebrick 1

    floodguard enable
    no sysopt route dnat
    telnet timeout 5
    ssh timeout 5



    Objectives:
    1)Allow SMTP (tcp 25) in to an internal Exchange server
    2)Allow all outbound traffic originating on the inside outside to ‘the internet’

    Assumptions:

    -I’m doing this from a console cable into the back of a PIX. Not PDM.
    You can enter commands via PDM ‘console’, but I find a console cable the best way to go. All of what follows next assumes you have typed ‘enable’ to get you into enable mode, then ‘configure terminal’ to actually start affecting the configuration.

    -I’ve assumed that the external IP of the PIX is the IP other mail servers will be attempting to connect to on tcp 25 (SMTP). If not, let me know.

    -Your internal mail server is called dbyexch01, and that your ‘name’ command references this.


    The PIX has a fairly straightforward security model, incidentally:

    -each interface has a ‘trust’ level (called security level on PIX.) Highest- most trusted- level= 100. Lowest = 0. (You can have a PIX with a bunch of interfaces, both virtual and physical, so this range can actually prove useful.)

    -traffic is allowed to flow from an higher-security interface to a lower-security interface (ie, from the inside (generally 100) to the outside (generally 0) as long as the appropriate ‘nat’ and ‘global’ statements have been configured.The PIX ‘remembers’ the traffic going from high to low- and when it returns, permits it back in, then closes the connection.

    So, if you hit google from a browser on the inside:

    -the traffic is permitted out, and is natted according to your global and nat statements
    -the pix places an entry in its ‘translation matrix’ to keep track of this traffic
    -when traffic lands on the outside of the PIX, it checks the matrix
    -if an entry exists, the traffic is permitted through and the matrix is updated
    -if it doesnt, traffic is dropped.
    -finally- and most importantly- NO UNSOLICITED TRAFFIC IS ALLOWED TO FLOW FROM LOW TO HIGH-
    -unless the appropriate statements are added



    Steps needed::::

    1)Disable the ‘fixup’ for port 25 (SMTP)
    The PIX will try and interpret invalid commands for SMTP ‘streams’. Exchange is actually ESMTP, so this application inspection (or ‘fixup’ will break SMTP.)

    command:


    no fixup protocol smtp 25

    2)Allow all internal traffic out to the internet
    It needs 2 things to do this:
    i)a ‘pool’ of translatable IP addresses- or just the external interface IP itself (your ‘global’ statement)
    ii)an special nat-specific ‘access-list’ to tell it what to translate (the ‘nat’ statement)

    (If you think of the former as ‘what do I translate these packets into?’ and the latter as ‘what addresses do I actually translate?’ you wont go too far wrong.)

    Commands needed (you’ve done these already, this is just for illustration):

    global (outside) 200 interface
    nat (inside) 200 0.0.0.0 0.0.0.0 0 0

    3)We now want to forward tcp 25 in from the external interface IP address to an internal host, and not break our earlier work.
    Remember what I said earlier about the PIX not allowing unsolicited traffic to go from low to high (outside to inside, in this case) unless the right commands were added? Thats what we’ll do now.

    Commands needed:

    static (inside,outside) tcp interface 25 dbyexch01 25 netmask 255.255.255.255 0

    access-list smtp_in permit tcp any interface outside eq 25

    access-group smtp_in in interface outside

    Explanation:
    -first command tells the pix to statically- ie, in a fixed manner- translate traffic originating on the outside
    interface, on tcp 25, and to translate it to dbyexch01’s IP address on 25.
    -but we still need an access-list to permit our traffic: so the second command tells the PIX whats actually
    allowed.
    -thirdly, we tell the PIX where to apply this access-list to, and in what direction: in this case, our access-list
    (called smtp_in) is applied inbound on the outside interface)

    try this and see if it allows tcp 25 in to your mail server, and still allows your internal hosts to get out.

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: How to get ADSL dsl thru Cisco 2501 serial ports. #285864

    Re: How to get ADSL dsl thru Cisco 2501 serial ports.

    No problem.

    PPP and PPPoE are related but different things, btw. I’m not sure why you need PPP- I would remove it and just set up the interfaces using IP addresses and clock rates to get them up and running. You would only really need PPP over Serial is you were trying to get some authentication up and running, or one of the other things PPP is useful for. The basic encapsulation on Serial on Cisco is called HDLC, is on by default, and should suit you fine.

    (Check the front page for David Davis’ excellent guide to WAN protocols for more info)

    Please post your configs so I can take a look.

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: CISCO PIX515 and email (exchange) forwarding #285863

    Re: CISCO PIX515 and email (exchange) forwarding

    It shouldn’t be a problem, the PIX can handle this with ‘policy nat’.
    One IP is all you need!

    Do me a favour though- dump out your config and let us review it!
    That way, there will be no unexpected gotchas, specifically around
    the access-lists. If you are struggling to so this- let me know.

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Cisco 857W router config help #285862

    Re: Cisco 857W router config help

    Absolutely. JeremyW is spot on, thats why we do it, after all. We’ve just (well, 7 weeks ago) had number 2, and everything else just has to take a back seat for our little network and server admins of the future!

    take care all

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Is NATting possible on 2 seperate private ip’s? #285861

    Re: Is NATting possible on 2 seperate private ip’s?

    I think you maybe have misread the OP, usits.

    kvouzoplis isnt using two WAN gateways. He (?) has two internal servers with 2 NIC’s each: each server has a NIC on HIS external network (private) and on his internal network (also private).

    Quote from the OP:

    “I have just setup a brand new network. I have 2 windows server 2003 r2 DC’s (one primary, one secondary). Their external IP’s are 192.168.1.2/24 and 192.168.1.3/24, which connect to the router for default gateway. Again on the same DCs, i have also installed more nics to support the internal network. Their IP’s are 192.168.2.1/24 and 192.168.2.2/24.”

    So, with only one router, you can only forward an individual port from an individual external IP address.
    The only workable solution I can think of is some Windows clustering, to present a virtual ip to the outside world.
    The router will then forward tcp 25 to this IP address: no matter what happens internally- if a DC fails, etc, as long
    as the same virtual ip is presented to the router then smtp should get through.

    Thats why I wondered about your VPN scenario: I think I see where you are coming from now. Actually, that sounds quite interesting: you should really draw a diagram to illustrate, it sounds like a clever solution to your problem, and I think we could all learn from it.

    regards
    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: 2 Seperate SBS 2003 servers in ONE switch? #285860

    Re: 2 Seperate SBS 2003 servers in ONE switch?

    Does it? I didn’t know that. I suppose it makes sense from an MS standpoint: limit the environment in which this box can be deployed. Bloody hell. Why am I not surprised?

    http://www.wehuberconsultingllc.com/wordpress/?m=200411

    (Adding a router/wap to my network

    Posted by Bill on 25th November 2004)

    thanks for the info, tieger

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Is NATting possible on 2 seperate private ip’s? #285859

    Re: Is NATting possible on 2 seperate private ip’s?

    usits;48940 wrote:
    Ok I’m a bit confused too, you said that 192.168.1.xxx are external IP’s but technically they are not, they are private IP’s. I’m assuming you have T1 or some other kind of dedicated line. In that case the IP that is provided to you by your ISP is your Public or External IP. Now if you really want to load balance every thing you can use Clustering or get a router with two WAN interfaces, hook up two high speed circuits to it and route traffic between them (create a VPN). If your router does not have the ability to do that, then you can get use two different routers to accomplish this. Now you have what you want to do.
    You can forward the same port to those two servers from 2 different routers and there is a VPN that exists between them and traffic is being routed so you are good to go. If one WAN interface goes down or one server goes down you have the other one up and running. Hope this helps.
    cheers

    I think he means that the RFC1918 addresses are on HIS external network. Semantics.

    A question: I’m not sure why he needs a VPN. A VPN is an encrypted ‘tunnel’ across a network- how exactly will that help in this scenario?
    And how can inbound email, sent from anywhere in the world to this man’s server (the whole point of this man’s endeavours) be load balanced, exactly?
    Maybe a diagram of your suggestion would help?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Is NATting possible on 2 seperate private ip’s? #285858

    Re: Is NATting possible on 2 seperate private ip’s?

    I see what you mean.
    I think in this case you should consider ‘clustering’ the machines which you want to appear as gateways. That way, you can present a ‘virtual ip’ to the world.

    I may be wrong, but I suspect a DC cant be an Exchange front end server for some reason (Bill G needs more money, most probably :)

    I take your point re ‘backup’ nat. I certainly dont know of a way, but maybe others do?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: 2 Seperate SBS 2003 servers in ONE switch? #285857

    Re: 2 Seperate SBS 2003 servers in ONE switch?

    Apologies for the late post.

    You could get around the problem of 2 DHCP servers on 1 subnet by:

    i)dividing up your address pool carefully
    ii)applying one half to one SBS box, the other on the other one
    iii)using DHCP class id’s on the server and the appropriate group of
    workstations to tell them what IP’s to pick up.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Is NATting possible on 2 seperate private ip’s? #285856

    Re: Is NATting possible on 2 seperate private ip’s?

    Hiya,

    I think your problem is that you are trying to forward the same port to 2 internal devices on the same external IP address. The router, quite correctly, is telling you you cant do that- because you cant! If you had more external IPs you could set up a couple of them on the outside and forward them in, ie

    xxx.xxx.xxx.xxx->192.168.1.2 on tcp 25

    yyy.yyy.yyy.yyy->192.168.1.3 on tcp 25

    I’m a wee bit puzzled as to what you are actually trying to achieve here. Are you using the ‘internal’ NIC’s as pseudo firewalls? Why does the Exchange Server need to be able to use 2 separate DC’s as gateways?

    To simplify things, why not just set everything up on one flat internal network? That way, you can just forward port 25 tcp into the Exchange Server, which is sort of what it expects? Is there really a need for this complexity?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: How to get ADSL dsl thru Cisco 2501 serial ports. #285855

    Re: How to get ADSL dsl thru Cisco 2501 serial ports.

    Thats alright, I think you are just about there..just make sure that the clients connecting to your 1924 are using the ethernet interface of your ‘local’ router as their default gateway.

    OK. I’m going to call the router that has the 1924 connected your ‘local’ router and the one connected to the dsl box your ‘remote router, okay?

    If you issue a ‘sh ip route’ command on each router, at present you will see
    the ‘connected’ routes. These are the routes that the router knows about because it has an interface addressed with the relevant ip addresses.

    Step 1: Set up a default route on the ‘local’ router
    (the one your 1924 connects to)
    [The object of this is to get this router to forward any traffic that it hasn’t an explicit route for, out of its serial interface and onto the ‘next hop’: which will be the serial interface of the remote router. As this inside router is just hosting a ‘stub’ network- a network with one exit point- all thats needed is a command saying ‘if I dont specifically know how to get to a network, just send it this way.’]

    command needed:

    enable
    configure terminal
    ip route 0.0.0.0 0.0.0.0 (next hop IP address- the address of the serial int on the remote router)

    When you enter this command, test its effectiveness by pinging the ethernet interface of the remote router from a client on the inside. If you get a response, all should be well. If not, check your gateway and let me know.

    Step 2: Set up a route to the ‘inside’ routers ethernet lan on the ‘remote’ router.
    [At present, the remote router knows about its own ethernet network and the serial network. It needs an explicit route to tell it how to forward traffic destined for your ‘inside’ router’s ethernet lan network]

    command needed:

    enable
    configure terminal
    ip route (inside lan network) (inside lan subnet mask) (next hop ip address)

    So, if your inside lan was 192.168.2.0 255.255.255.0, and your next hop from your ‘remote’ router was the ‘inside’ router’s serial interface, on 10.10.10.1:

    ip route 192.168.2.0 255.255.255.0 10.10.10.1

    Step 3: Finally, your ‘remote’ router needs to know what to do about traffic it has no explicit route for, ie, ‘internet’ traffic.

    [At present, the remote router knows about its own ethernet network, the serial network, and your ‘inside’ network: the whole of your LAN environment. It needs a default route for your internet (unknown) traffic, which will go via the dsl box.]

    command needed:

    enable
    configure terminal
    ip route 0.0.0.0 0.0.0.0 (next hop ip address- dsl box inside interface)

    So, if your dsl box’s ‘inside’ interface was on 10.10.20.1:

    ip route 0.0.0.0 0.0.0.0 10.10.20.1

    I think that should be all you need. Try it and see. If it works okay, do me a favour- come back and let us know, eh?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: How to get ADSL dsl thru Cisco 2501 serial ports. #285854

    Re: How to get ADSL dsl thru Cisco 2501 serial ports.

    Hi,

    if I understand you correctly, you want to:

    -have the dsl connection connected your ethernet interface on your 25xx router #1
    -be able to route the packets in from dsl to ethernet and back out via Serial on router #1
    -route these packets from Serial on Router #1 to Serial on Router #2

    Am I correct? If so, you need to:

    -connect the routers up back to back (serial port to serial port) via the correct serial cable
    -set the serial interface on the router which is on the DCE end of the cable (which should be marked on the cable) to be the ‘clock’

    -set ip addresses on all interfaces

    -set static routes pointing from one router to the other.

    Its difficult to tell from your post whether you can do all of this- you seem to have some knowledge of all this stuff. If what I’m saying doesn’t make sense then please let me know.

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: 857/877 IPsec tunnels #285853

    Re: 857/877 IPsec tunnels

    Hi Dave,

    the only info I’ve been able to find on this is the standard Cisco line: 5 or 10 ‘active’ tunnels.

    Somehow, though, I cant see them introducing a software restriction just for these devices. My guess- and it is just that, a guess- is that the hardware encryption engine limits tunnels to 5 or 10.

    Sorry I cant be of more help-

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Cisco 501 network setup #285852

    Re: Cisco 501 network setup

    Hi GuinnessX.

    Sounds like the RRAS server is restricting access to the other servers, for some reason.

    I haven’t really a clue about this thing. (FWIW, I would have just used IAS, and authenticated to AD from this via my vpn- but there you go.)

    Is there an obvious place in RRAS where you can restrict the resources a user is allowed to connect to? Is there a way you can sort of expand this and allow a connection to further resources? Sorry, guessing here.

    Actually- it seems very odd that adding RRAS solves this problem. What does AD say about how many RRAS servers there are out there?

    Sorry I cant be more help-

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Implementing a PIX in a VLAN scenario #285851

    Re: Implementing a PIX in a VLAN scenario

    Hi Ryan,

    when you say that each vlan will be firewalled by a PIX, do you mean a separate PIX? Or is this going to be a single unit? Perhaps
    a better question to ask is: what do you want to achieve in terms of
    traffic separation? Eg, would you want server1 on vlan1 to be able to
    talk smtp to server2, vlan2, etc etc…?

    Bear in mind that a PIX (later versions of FOS) will run vlans on an interface,
    (negating the need for a router)-which it still views as a logical interface, and you can then create the rules that govern traffic between them. As I think I noted to an
    earlier poster, you are then restricted by the 100Mb TCP throughout of the 515.
    Might be enough?

    regards,
    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: CISCO PIX515 and email (exchange) forwarding #285850

    Re: CISCO PIX515 and email (exchange) forwarding

    Hi Chief,

    I know what you mean re: PDM. The problem with PDM config is:
    you have to describe a series of clicks and text entry, which is a
    bit daunting given the PDM’s nature!

    Can I ask you to do the following:

    -Extract the configuration file from the PDM? I recall that if you click
    on ‘Tools’ its up there somewhere. There’s an option to dump out
    the config.

    If you post it up here (sanitised) we can take a look. This will allow
    us to check access-lists and such like before we give you a bum steer.

    Sound okay?

    regards

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Network loop control #285849

    Re: Network loop control

    Hi Jeremy,
    sorry I’ve not been back to get into this, I’ve been away from my lab for a few days o cant really test/check configs.

    Thats interesting- it looks as though its not being returned from the respective gateway on the other side. I ‘ll get back onto this one as soon as I can.

    Sorry guys-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Network loop control #285848

    Re: Network loop control

    Thanks Jeremy,

    I’m away from the lab just now and cant check that I actually had to do anything additional… damn, you’ve got me thinking now!

    I do remember it being incredibly sensitive to daft things like the order in which the nics get assigned IP’s and whether or not the respective interfaces had gateways or not. It basically creates the routes as the IPs get setup. I now distinctly remember having to play with the gateways and ridding myself of one of the default routes..I’ll have to get back to you on this!

    Actually, can you check those gateways on the workstations for me:

    Computer#1: (172.18.21.0 network side) has an interface of 172.18.21.153, gateway of .65
    Computer#3: (172.19.12.0 network side) has an interface of .145, gateway of 172.19.12.129 yes?

    But looking at the multihomed box, I see:
    Interface: 172.18.21.130
    Interface: 172.19.12.62

    As I say, I’m riffing a bit here and may be misreading this (got roped into helping out with some imaging tonight ) but I think you’ll find that the gateways of 1 and 3 need to correspond to the nics on either side of the multihomed machine, ie, .130 and .62.

    (I’m gently preparing myself for the embarrassment of seeing that I have, in fact, stuck RRAS on that box after all…)

    :confused:

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Network loop control #285847

    Re: Network loop control

    hi Jeremy,
    yes, I see what you mean. But by default, unless you put packet filters
    on its interfaces, a W2K/2K3 server with a NIC in 2 separate networks
    will happily route between these networks. It seems to be something thats
    built into the OS. You can confirm this by shutting down a single NIC server,
    adding in another NIC, powering up, adding an IP on a different network
    for the new NIC, and issuing ‘route print’ at the command prompt. Hey presto,
    the routes appear! Just like connected routes in the Cisco world.

    Adding RRAS does add a lot more ‘functionality’, NAT’ing and such like, but
    the old “2 NICs, 1PC, 1 Copy of Windows Server 2003” makes a fairly functional
    (though restricted to Ethernet traffic) router.

    Cheers!

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Network loop control #285846

    Re: Network loop control

    Its possible. You actually have 2 routers:

    -the ‘multihomed’ server (with 2 nic’s) is a router
    -so is the (I’m assuming) ‘hardware’ router

    You would really have to sit down and examine your topology- logical and physical- to see if a ‘loop’ is possible.

    Do you suspect there is one? Some strange behaviour?

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Cisco 857W router config help #285845

    Re: Cisco 857W router config help

    Uncle Bob, hello.

    daft question, but are you actually picking up an IP address? On your wireless workstation, I mean. It sounds like you aren’t…you might want to run some debugs on the 857W to see where its failing (haven’t one here right now, so couldn’t tell you exactly what.)

    When you say you have security set up, what exactly?
    WPA? WEP?

    Let us know…config might be good to see.

    As an aside- I had a very similar thing recently with a WEP config on an Aironet
    AP. Turned out I had to set my client workstation to ‘open’ WEP mode rather
    than shared. Instantly all was well, and I was joined by my close friends Hunky and Dory.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Cicso ASDM – how to export vpn profile #285844

    Re: Cicso ASDM – how to export vpn profile

    Hey ODS_Twig-

    I think you really want to do this from the client machine.

    I’m assuming this is a Windows machine-

    Create the profile and test it, then:

    Browse to
    -the Program Files folder
    -Cisco Systems
    -VPN Client
    -Profiles

    You’ll see the PCF file you need. Same name!

    To import, just move into the same location on your target machine.

    Job done!

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Map drives doesn’t work using VPN #285843

    Re: Map drives doesn’t work using VPN

    Thanks Aarek, all of that is very useful.

    “Yesterday evening I was online with the ISP support from home in order to move things up using the VPN and here is what I learn.
    once you connected to the PIX you been given an IP address that starts with 172.16.X.X with subnet 255.255.0.0 (not the same as our local one – 192.168.0.1 with subnet 255.255.255.0 – class C )”

    Thats fine, shouldn’t make any difference.

    “-The Pix is handle by the ISP.
    – according to the guy of the support once you connected you can work freely
    “although he still insist that the DC is not involve yet so this is the reason I don’t have permissions.”

    You DO have permissions. I think he’s wrong! These laptops have both machine and user accounts within the domain. The machine account will not authenticate in the manner it will on a LAN, but the user account will.

    “- the laptops are connected to the network almost on a daily bases (we are talkink about workaholics that continues to work at home.)

    is that possible to check the credentials ?”

    Brilliant, so we know they work.

    “one last thing – while I was on the phone with this guy we manage to create new map drive like this : right click on the “My Network Places” – writing the \server-IP addressshare
    and then connect using a diffrent name ..
    It works like that – but the problem – all my maps are working with script running from the server when users are log in to the network.
    Now I was thinking maby to create them login script that they can activate at home once they are connected to th VPN….”

    I see, so you can map to a resource using a UNC path.

    I’m wondering if this is something to do with the way the ‘Map Network Drives’ mechanism works in Windows. As I’d said in an earlier post, I’m sure this still uses Netbios, which, IIRC, is broadly broadcast-based (anyone else care to step in here?) method. The PIX is handing out a routable IP address to your users, but only in the sense that, if the PIX wasn’t there and the VPN was down, this ‘routed link’ would not exist. And, of course, routers in the main stop broadcasts…

    I will investigate the issue further, but I’ve a hunch that this is what is happening, if you can connect via UNC.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Alcatel SpeedTouch Home with 3Com wireless router #285842

    Re: Alcatel SpeedTouch Home with 3Com wireless router

    Hey all,

    I wonder if we could make the link to the 3Com resource a sticky? Any idea what we would need to do?

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Map drives doesn’t work using VPN #285841

    Re: Map drives doesn’t work using VPN

    Hi Aarek,

    I cant see this being the problem (unless there’s some domain policy that prevents it.)

    As RobW has said, if the machines in question are domain members, and their credentials have not expired, they should be able to:

    1)power up
    2)log on with ‘cached’ domain credentials
    3)connect to your pix via vpn
    4)connect to their permitted resources

    And if you are lucky, they might even be able to change passwords over the vpn. I know this works; I am currently typing this while connecting over a vpn to my corporate internet proxy doing exactly as above!

    I might be missing something here, so can you tell me/us:

    -does the PIX have a local authentication database its using, or are you handing off authentication to some kind of RADIUS server (ie, IAS on your SBS Server)
    -is the PIX pushing out any kind of firewall policy to the client that you know of?
    -when was the last time the machines actually connected via a LAN, as I gather that sometimes Kerberos can get broken if it does not ‘see’ a machine for a period of time.
    -when connected via vpn, do you get a ‘local’ LAN IP (ie, one from your core network) or another network entirely?

    Things I would try are:
    1)Bring a machine in from the cold and make sure it can connect to the required resources locally (ie, on your LAN.) This will rule out some underlying issue with domain privileges

    2)A bit more involved, but, while connected to the vpn, do a portscan on the SBS server and see what its presenting to you. I would think you need to see the relevant Windows ports that negotiate permissions and privileges. For example, our internal DC shows me:

    “42 nameserver” Open
    “53 domain” Open
    “88 kerberos” Open
    “135 epmap” Open
    “139 netbios-ssn” Open
    “389 ldap” Open
    “445 microsoft-ds” Open
    “464 kpasswd” Open
    “593 http-rpc-epmap” Open
    “636 ldaps” Open
    “1025 blackjack” Open
    “1026 cap” Open
    “1045 fpitp” Open
    “1052 ddt” Open
    “1055 ansyslmd” Open
    “1058 nim” Open
    “1068 instl_bootc” Open
    “1071 bsquare-voip” Open
    “1079 asprovatalk” Open
    “2301 cpq-wbem” Open
    “2381 compaq-https” Open
    “3268 msft-gc” Open
    “3269 msft-gc-ssl” Open
    “3372 tip2” Open
    “3389 ms-wbt-server” Open
    “8402 abarsd” Open
    “8400 cvd” Open

    HTH-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Anybody worked on Cisco ASA ? #285840

    Re: Anybody worked on Cisco ASA ?

    Sorry for the belated update, but one other thing thats just occured to me.

    The ASA/FOS7.x line has a newer web-based management utility called ASDM
    (acronym for Adaptive Security Device Manager, IIRC) which replaces the PIX’s
    old PDM (PIX Device Manager).

    Now, I was never a fan of PDM, and stopped using it after it got me into trouble once. I just found it a flaky, command-ignoring mess, ok for a basic get you up and running config, but for anything a bit more advanced you really had to use the command line. My first experience with FOS 5.x was about 6 months ago, and with trepidation I fired up ASDM to see what it was like.

    What a revelation! I think Cisco have finally created a GUI for the PIX/ASA that does the hardware justice, and one you could probably use every day without fear of it letting you down at the wrong moment. You still need to know how the PIX works- you can still create a config that looks like it should do something but doesnt- but its a major improvement.

    HTH
    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: SIP SPOOFING template for Speedtouch #285839

    Re: SIP SPOOFING template for Speedtouch

    Cant see one Urish, sorry.

    What about Babelfish or a similar translation service? It might be helpful.

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Alcatel SpeedTouch Home with 3Com wireless router #285838

    Re: Alcatel SpeedTouch Home with 3Com wireless router

    :beer: :beer: :beer: :beer:

    Avatar
    theterranaut
    Member
    in reply to: Map drives doesn’t work using VPN #285837

    Re: Map drives doesn’t work using VPN

    Thanks Aarek,

    Do you think you could manage to let me see the config on your PIX?

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Map drives doesn’t work using VPN #285836

    Re: Map drives doesn’t work using VPN

    Thanks Aarek,

    Over UDP should be fine.

    Can you find the config for the PIX and post it here? A sketch of your topology would be useful as well.

    regards

    theterranaut

Viewing 30 posts - 31 through 60 (of 111 total)