Connecting the world…

host

Barracuda – Outbound SMTP Host/Smart Host in Build 3.5.12.012

When upgrading from a build older then 3.5.12.012 to a build 0.12 or above, you should pay attention to the Outbound SMTP host/Smart host configuration. This picture below shows the configuration option.

smarthost20091203

The release notes tell the following:

Fix: Now honors outbound BASIC > Administration > ‘SMTP host/Smarthost’ for mail delivery when relaying (recipient domain is not on the box). Before this, the system would only deliver quarantine messages and bounce messages to the smarthost. [34421]

When upgrading to firmware version 3.5.12.012 or higher a number of customers have been caught out by a change in the operation of the SMARTHOST setting. This option was used just to route notifications and reports from the Barracuda. On the new firmware, if you have anything entered in the smart host field ALL outbound mail will be forwarded via it.

Multiple customers entered the internal mail server in the field to deliver the notifications and reports. After upgrading the customers weren’t able to send mail. Of course the reason is simple, all outbound mail is trapped in a loop.

The internal mail server sends the mail to the Barracuda and the Barracuda, like the smart host specifies, sends the mail back to the internal mail server. You have to clear the smart host field, unless you implicitly need to use it.

Juniper SA – Host Checker

Security is getting more and more important for people. I notice that especially IT manager would like to implement some kind of security measurements to improve the safety of their network and data. Lately I have been busy with configuring a Juniper SA solution. The customer wants to publish different kind of services through the Juniper SA to his employees or suppliers. Example of these services are file sharing and full IPSec tunnels. When using file sharing and full IPSec tunnels, the use of a virus scanner is arbitrary for all workstations connecting to the customers network through the Juniper. Juniper provides an option to configure a Host Checker to check if the client has a (specific) virus scanner. This kind of predefined check only works with Windows clients.

I wanted to configure a predefined Host Checker for all the Windows clients connecting to the Juniper SA box. The configured policy checks all Windows clients on a, by Juniper supported, virus scanner. This works perfectly, but I noticed at all Linux and Mac OS X users weren’t able to connect anymore. When configuring a Host Checker policy for Windows, you also have to configure a policy for other OS-users, like Linux and Mac OS X.

I didn’t know which policy to configure for these users, because the outcome of the policy check should be positive at all times. I have the option to check the presence of a specific file. This gave me the idea to configure a dummy file check for Linux and Mac OS X clients. The dummy file check has the following properties:

Host Check

The policy checks the presence of the file mac_dummy_file. To pass the host checker test, the file should NOT be present of the client. I configured a similar rule for Linux clients. By configuring the policy like this, all Windows clients are checked on the presence of a virus scanner and the Linux and Mac OS X hosts are checked on the dummy file. Normally, the dummy file doesn’t exist on the specific Linux / Mac OS X clients, so they are always allowed access to the Juniper.

I guess it’s a nice workaround….

Netstat on IOS router

I often use the netstat command on a Windows machine to check on which IP and/or ports the servers or workstation is listening or established connection.

By accident I found the same kind of command for a Cisco IOS router, while I was looking through the CLI. Check out the output below:

Router#sh control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
tcp                 *:22                  *:0               SSH-Server   LISTEN
tcp                 *:23                  *:0                   Telnet   LISTEN
tcp                 *:23     10.10.8.181:3682                   Telnet ESTABLIS
udp                 *:67                  *:0            DHCPD Receive   LISTEN
udp              *:50015                  *:0                  IP SNMP   LISTEN
udp                *:161                  *:0                  IP SNMP   LISTEN
udp                *:162                  *:0                  IP SNMP   LISTEN

GRE over IPsec with Cisco ASA

In different scenario’s it is required to configure some kind of routing protocol between two offices, but the routers should be configured to look directly connected to each other. Normally I always configure an IPsec VPN between the two offices and configure an additional GRE tunnel over the IPsec VPN tunnel. In that way the routers look directly connected and adding a routing protocol is no problem.

In the past I noticed several times that the GRE tunnel doesn’t come up, when using a Cisco PIX firewall or a Cisco ASA firewall. When using IOS 6.x on the PIX or 7.x on both hardware platforms, there is a workaround by using the following command:

clear local-host <remote peer>

Cisco has reported this bug in BugID CSCse36327:

The IPSEC tunnel was previously working and either one of the following events occured:
1. the crypto map and/or isakmp has been removed and reapplied to the interface
2. the PIX/ASA is upgraded from version 6.x to version 7.x
3. the PIX/ASA is rebooted
4. The remote IPSEC peer/s is rebooted

 

All events except 1 occur when a dynamic crypto map is used without a match address statement.
This typically affects only GRE traffic.

 

In PIX/ASA 7.x, GRE encryption may stop working (GRE packets are sent in clear) after removing and reapplying the encryption. This behaviour is by design in 7.x. If encryption is disabled but GRE packets are coming to the PIX in this time, GRE session is created on the PIX and marked as clear-text one (“do not encrypt”). When encryption is applied back, non-encrypted GRE session still exists on PIX and GRE packets that should be encrypted still bypass crypto map until old session is timed out or deleted. If there is a dynamic routing (OSPF/EIGRP/etc) running over GRE, this GRE session may never timeout and should be cleared manually.

 

In PIX/ASA 8.0.2, new functionality was introduced with new CLI command: “sysopt connection reclassify-vpn”. Default state is disabled. If this command is enabled, then enabling encryption causes non-encryption sessions to be dropped and reestablished with encryption.

Looks like there is a new command introduced in IOS 8.0.2 as mentioned above, by using sysopt connection reclassify-vpn.

There is also an entry on the Cisco SupportWiki about this problem. So the next time I will try this new command.

www.booches.nl on a Synology DS107+

I wanted to buy a new USB disc for backing up all my files, but I didn’t know what to buy. A storage consultant told me about the Synology products. Together with some colleagues, we started to look at the different products. At the end we narrowed our search to the Synology DS107+. This is a NAS with a web server based on Apache and some other nice “tools”.

I started to play a little with the web server. At first I only found the option to run one single website, but I am running more than one website. So I started to look at different forums for modifying the configuration. At the end I found an article with described the way to configure the HTTPD daemon for using virtual hosts.

I took the following steps to enable the usage of virtual hosts:

  1. Edit the file /usr/syno/apache/conf/httpd.conf-user
      – Unquote the line: Include conf/extra/httpd-vhosts.conf
  2. Create the file /usr/syno/apache/conf/extra/httpd-vhosts.conf
      NameVirtualHost *:80

      <VirtualHost *:80>
      ServerName www.booches.nl
      DirectoryIndex index.php index.html index.htm index.shtml
      DocumentRoot /volume1/websites/www
      <Directory “/volume1/websites/www”>
      AllowOverride all
      </Directory>
      </VirtualHost>

      <VirtualHost *:80>
      ServerName os3.booches.nl
      DirectoryIndex index.php index.html index.htm index.shtml
      DocumentRoot /volume1/websites/os3
      <Directory “/volume1/websites/os3”>
      AllowOverride all
      </Directory>
      </VirtualHost>

      <VirtualHost *:80>
      ServerName www.emmastraat32.nl
      DirectoryIndex index.php index.html index.htm index.shtml
      DocumentRoot /volume1/websites/emmastraat
      <Directory “/volume1/websites/emmastraat”>
      AllowOverride all
      </Directory>
      </VirtualHost>

  3. Restart the HTTPD daemon
      /usr/syno/etc/rc.d/S97apache-user.sh restart

For WordPress to work, I had to create a database in MySql. This is simple with the MySql command line queries. It has been a long time for me playing with MySql, but it was fun nevertheless (Man, I sound like a computer geek….). I create the same user credentials for the WordPress database and added them to the WordPress configuration file.

Next I re-configured the static NAT entry on my Cisco 877W router, so you all are directed to the correct inside host. Now I am wondering if the NAS works and I am especially interested in the performance of the NAS. As far as I have noticed the performance is less in comparison to my IIS web server. I give it the benefit of the doubt for the time being…..or else back to my IIS web server.