Bridging vs Routing Firewalls

A bridging firewall (sometimes called a transparent firewall) is a security appliance that does NOT actively participate in the routing of packets that are allowed by the policies in place to pass through the device.

EBGP Multihop vs IP SLA for failover detection

Recently I have started with a new approach to failover detection that does not rely on IP SLA on cisco routers. The problems with IP SLA and route tracking objects are non-trivial. In one particular case I have a customer with a 10MB ethernet feed that goes thru a large national carrier. The carrier has a next hop router in the building connected by 100 ft or so of cat5/cat6. The connection leaves that router and is fiber/SONET all the way to the customer edge routers at the carrier office.

ARP caches on boxes you dont control != fun

The problem: Cisco ASA was swapped in for a SonicWall firewall. The ASA had a known-to-be working config, and outbound NAT was working but inbound sessions to a mail server that had a 1:1 nat on a different ip that the outside interface of the firewall were failing. After looking closey we realized about half of the static nats were working - you could ping the static nat ip and access tcp services that were allowed via the acl. In front of the firewall was a managed router - the ISP had restricted all access to the console/telnet/ssh on the router.

The importance of busybox

Busybox is a swiss army knife utility that is very useful for system recover. Recently I had a server with a scsi backplane issue that caused scsi drives to "fail" and remove themselves from the kernel. The drives were tested in other server and work fine, and this was happening with multiple different drives. Before we determined it was the server backplane though, we were doing a migration of data: sda: OS (sdb, sdc) md1: data, virtual servers, databases

Cisco VTP and Switch Migration

Cisco docs state that you can have more than one VTP server in a VTP domain and that updates on one switch will update the switch and its VLAN configuration. Problem: We have a scenario where two switches that are in different VTP domains need to be migrated so that they are both in the same VTP domain will the VLAN information be corrupted when they are joined? What about if the VLAN names and VLAN IDs are manually matched on both switches first? Answer: The switch with higher config revision will overwrite the config of the other. sh vtp status Look for the config rev:

Cisco Pix Failover Upgrade

Ran into a small issue with a PIX upgrade: 2 Pixes running 6.3.3 configured for failover, with config synced. Upgraded the standby box to 6.3.5 and rebooted. The active box remained active and took down the failover since the OS version was not matching any more (6.3.3 vs 6.3.5). Then upgraded the active PIX and when it rebooted the standby took over. When the original active PIX came back up though the 2 pixes started fighting over who was the active PIX and the public and inside ips would switch back and forth between the boxes as the battled to take over.

OpenDNS and EMail-Delivery Problems

We have encountered a strange problem sending email to users at several sites running Microsoft Exchange and OpenDNS. No SMTP errors were seen in the logs other than that the emails will stay in the queue and time out and generate a basic NDR - unable to contact server message.

Comcast SMC Router Issues - Smart Packet Detection

Symptoms: Intermittent success reaching a website, or high numbers of TCP retransmits when looking at a packet dump. Possible problems with IPSEC client vpns running over UDP or even TCP. This does not seem to be as much of an issue with site to site IPSEC vpns behind Cisco ASAs and OpenBSD firewalls (as of yet) but we are still tracking this issue. Goto the SMC router web admin tool: login with the username cusadmin passwd highspeed Disable Gateway Smart Packet Detection More info:

Linux eth0 not present issue

In Debian Lenny (stable as of 2009) this file contains mappings for ethernet drivers that will be persistent across boots: /etc/udev/rules.d/70-persistent-net.rules If you change nics (netgear natsemi for an intel e100) for example, you will need to edit this file and remove the stanza (1 comment and 1device line that begins with SUBSYSTEM=="net",....) Reboot, and the new nic should be detected as eth0

Cisco Policy Route with IP SLA Failover

Customer has 2 physical circuits, Comcast Business Cable with 1 static IP, and a multi-t1 bundle to Verizon Business. Comcast will be used as the primary egress for internet browsing. Inbound email, web, and RDP services are mapped via static nats on a Cisco ASA that handles the Verizon connection. The Comcast connection has its own ASA for firewalling. Traffic needs to be sticky (i.e. it must go back out the same firewall it came in on or else the stateful packet inspection on the ASAs as well as the outbound NATs will break and the traffic will drop.
Syndicate content