Educating the world

Our blog has over 10,000 readers a month

Configuring a permanant DHCP reservation on a Cisco ASA/PIX

February 2nd, 2013

One of our offices uses a Cisco ASA/PIX and we want to manage all the IP address allocations with DHCP. The main benefit of this is that the dynamic IP address allocations can be managed centrally. If we change the default gateway of the network then no one needs to make any changes to the network settings on their devices.

Each device on the network gets an IP address when they ask for it and keeps it for a fixed amount of time called a lease. When that time has expired the device releases the address and asks for another. In most cases the device will be given the same information again by the DHCP server.

If you have a network with a lot of laptops, phones, tablets or printers then devices will come and go quite frequently. You will find that if you switch off the device for any amount of time it will come back with a different address. For laptops and personal devices this doesn’t matter. However if the device is a shared resource like a printer or file server then it can be a problem. Anyone who still wants to use that shared resource now needs to know about its new address.

We want to be able to tell the DHCP server that while it can allocate IP addresses from a certain pool we want to make sure that it can only allocate some of them to specific network devices. This will ensure that if a printer goes for repair and comes back in a week, when it’s switched back on it will have the same IP address that it always had.

Unfortunately there isn’t a structured way of doing this with a Cisco ASA/PIX so we need to find a work-a-round.

The following instructions describe how to do this but they also describe how to get into the administration section of the Cisco ASA/PIX because most of the instructions (on the internet) assume you know how to do this already. There is a strong argument that you should know what you are doing before you play with a router/firewall’s configuration but if your network man is on holiday then you might have to get your hands dirty yourself.

There are various GUIs to help with this kind of administration and that’s fine if you are at the customer’s site but most of the time I’m not. Short of connecting to the VPN and using the management console the easiest way is to go in on the command line using telnet.

In the following scenario we have been told that the printer is set to use DHCP and its current IP address is 192.168.1.69. We want to add that to the pool and make sure it is given the same IP address each time.

So connect to the Cisco ASA/PIX. There’s no user name only a password, so enter the user level password:

host# telnet 192.168.1.254
User Access Verification

Password: ***
Type help or ‘?’ for a list of available commands.
cisco>

Once logged in we need to switch to the administration mode.

cisco> enable
Password: ***

The user told us the printer was currently switched on so we can read the router’s Address Resolution Protocol table which lists the mappings between IP addresses and Media Access Control address (MAC address or address network card address). We’ll need the MAC address as it is the reference the router talks to whereas the IP address is only an abstraction.

cisco# show arp
inside 192.168.1.69 0c1b.ae43.bd21

Now we can check that the 192.168.1.69 address is in the pool of DHCP addresses

cisco# show running-config dhcpd
dhcpd address 192.168.1.20-192.168.1.70 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd domain 360inspire.com interface inside
dhcpd enable inside
!

which it is and we can check that the MAC address is not currently assigned to anything else.

cisco# show running-config arp
cisco#

Our sanity checks are ok so we are ready to proceed with the update. We must enter the configuration section by specifying that we will change the configuration from the terminal.

cisco# configure terminal
cisco(config)#

Once in the configuration section we can start changing the settings. The following line says that when we see the MAC address 0c1b.ae43.bd21 we are going to statically refer to it with the IP address of 192.168.1.69. The Cisco ASA/PIX knows that this is already in the DHCP pool and won’t allocate it again.

cisco(config)# arp inside 192.168.1.69 0c1b.ae43.bd21

We can check the change has been added with the following command:

cisco(config)# show running-config arp
arp inside 192.168.1.69 0c1b.ae43.bd21
cisco(config)#

If you have miss-typed or you would like to remove an old entry you can do so by prefixing the existing command with no. For example:

no arp inside 192.168.1.69 0c1b.ae43.bd21

The changes are currently only made in memory, so we need to write the current running configuration down to disk.

cisco(config)# write mem
Building configuration…
Cryptochecksum: 389f1812 7c29dd7b 50ad4ca0 4ce3fd5e

4396 bytes copied in 1.480 secs (4396 bytes/sec)
[OK]
cisco(config)#

And finally the job is done so we exit cleanly

cisco(config)#
cisco(config)# exit
cisco# exit

Logoff

Connection closed by foreign host.

Rebooting the printer will result in the printer coming back with the same IP address.

Many thanks to goldplated for his original article.

Installing OpenVPN Client on MacOs Mountain Lion

January 18th, 2013

There are several OpenVPN clients for MacOS but the most popular one is Tunnelblick. At the time of writing the latest stable version is 3.2.8 but there is a red health warning saying that it’s not recommended for OS X 10.8 ("Mountain Lion"), where as the previous stable version 3.3beta21b version is. Yeh, weird that!

Version 3.3beta21b had one problem with launching the VPN tunnel, it couldn’t find the configurations specified in the .opvn configuration file. First we’all go through how to install it and then how to get around the bug with launching it.

  1. Your VPN administrator will have given you a zip file containing your OpenVPN configuration. It will have a name like
    yourname-12345.zip.
  2. Finder will automatically unpack it and create a folder called
    yourname-12345
  3. Go to Tunnelblick’s download page:
    http://code.google.com/p/tunnelblick/wiki/DownloadsEntry
    and download Tunnelblick 3.3beta21b.
  4. Launch the download.
  5. Double-click the Tunnelblick.app icon.
  6. Click I have configuration files.
  7. Click OpenVPN Configuration(s).
  8. Click Open Private Configuration Folder.
  9. The Finder will open.
  10. Drag the youname-12345 configuration folder to the same place where you see the Launch Tunnelblick icon.
  11. Click Done.
  12. Click Do not check for a change.
  13. Click Don’t check for automatic updates. The latest version is not compatible with Mountain Lion so we don’t want your Mac to automatically install it!

If you go up to the greyed out tunnel icon next to the time on the menu bar and click it you can select yourname-12345->Connect <VPN name>. It will pop up a message saying:

Warning!
Tunnelblick was unable to start OpenVPN to connect yourname-12345/<VPN name>. For details, see the OpenVPN log in the VPN Details… window

Click the greyed out tunnel icon again and select VPN Details. For the sake of those people googling (searching) for a solution here is the error message from the log to bring you in!

2013-01-18 00:49:41 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.3beta21b (build 3114.3185)
2013-01-18 00:49:41 *Tunnelblick: Attempting connection with yourname-12345/vpn-name; Set nameserver = 1; monitoring connection
2013-01-18 00:49:41 *Tunnelblick: /Applications/Tunnelblick.app/Contents/Resources/openvpnstart start yourname-12345/vpn-name.ovpn 1337 1 0 0 0 49 -atADGNWradsgnw
2013-01-18 00:49:42 *Tunnelblick:

Could not start OpenVPN (openvpnstart returned with status #242)

Contents of the openvpnstart log:

OpenVPN returned with status 1, errno = 2:
No such file or directory

Command used to start OpenVPN (one argument per displayed line):

/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3-alpha1/openvpn
–cd
/Users/username/Library/Application Support/Tunnelblick/Configurations
–daemon
–management
127.0.0.1
1337
–config
/Users/username/Library/Application Support/Tunnelblick/Configurations/yourname-12345/vpn-name.ovpn
–log
/Library/Application Support/Tunnelblick/Logs/-SUsers-Syourname-SLibrary-SApplication Support-STunnelblick-SConfigurations-Syourname-12345-Sclient–vpn-name.ovpn.1_0_0_0_49.1337.openvpn.log
–management-query-passwords
–management-hold
–script-security
2
–up
/Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -m -w -d -atADGNWradsgnw
–down
/Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -m -w -d -atADGNWradsgnw
–up-restart
–route-pre-down
/Applications/Tunnelblick.app/Contents/Resources/client.route-pre-down.tunnelblick.sh -m -w -d -atADGNWradsgnw

Contents of the OpenVPN log:

Options error: –ca fails with ‘ca.crt’: No such file or directory
Options error: –cert fails with ‘yourname-12345.crt’: No such file or directory
Options error: –key fails with ‘yourname-12345.key’: No such file or directory
Options error: Please correct these errors.
Use –help for more information.

More details may be in the Console Log’s “All Messages”

Now the fix.

  1. Open a Finder window and go to:
    /Users/username/Library/Application Support/Tunnelblick/Configurations/yourname-12345
  2. Edit the file vpn-name.ovpn
  3. At the bottom of the file you will see the following lines:

    ca ca.crt
    key yourname-12345.key
    cert yourname-12345.crt

  4. The launcher was complaining that it couldn’t find the files so there is something wrong with how the software is working out which directory to look in.
  5. You must change the lines to include the full path to the file.

    ca “/Users/username/Library/Application Support/Tunnelblick/Configurations/yourname-12345/ca.crt”
    key “/Users/username/Library/Application Support/Tunnelblick/Configurations/yourname-12345/yourname-12345.key”
    cert “/Users/username/Library/Application Support/Tunnelblick/Configurations/yourname-12345/yourname-12345.crt”

  6. After the change, it doesn’t matter what the application thinks is the configuration directory as we are using the absolute path to the files instead of a relative one.
  7. Go up to the greyed out tunnel icon and select
    yourname-12345->Connect <VPN name>.
  8. And hay presto, you’re in.

Cloning a VirtualBox machine running CentOS causes network interfaces to fail

January 11th, 2013

When you clone a VirtualBox machine in order to create a new virtual machine (as opposed to creating a back up of an existing machine) then you must check Reinitialize the MAC address of all network cards and use the Full clone type to make sure that the original and the clone don’t share any resources.

After booting the new (freshly) cloned machine you will notice that all the network interfaces are down. Trying to raise them gives you the following:

[root@myhost ~]# ifup eth0
Device eth0 does not seem to be present, delaying initialization.
[root@myhost ~]# ifup eth1
/sbin/ifup: configuration for eth1 not found.
Usage: ifup <device name>

When Linux boots the clone image for the first time it sees the new MAC address. It compares it with the MAC address it has saved for eth0 and realises that they are different. In order to avoid a conflict (in case the old network card comes back), Linux creates a new interface called eth1.

We are running VirtualBox (2.4.6) and don’t have network cards in the virtual machine. We just want it to be the same as the original machine without a lot of faff.

  1. Edit the NIC cache:

    vi /etc/udev/rules.d/70-persistent-net.rules

  2. Delete the line where NAME="eth0″
  3. Find the line with NAME="eth1″ and change eth1 to eth0
  4. Save file
  5. Edit the new interface file:

    vi /etc/sysconfig/network-scripts/ifcfg-eth0

  6. Strip out everything but the bare minimum:

    DEVICE="eth0″
    BOOTPROTO="dhcp”
    ONBOOT="yes”

  7. Save file, then reboot:

    reboot

The virtual machine will come back with eth0 raised and a brand new IP address.

If I didn’t know any better I’d say someone is trying to recreate the behaviour that Windows has if you clone it. Each clone of a windows system remembers all the MAC addresses and names of previous NICs but what it means is that when you clone a system and update the drivers then all your names change back to the default plus one. for example if you rename your “Local Area Connection” to “outbound-if” and clone the system when it boots up on a different host with a slightly different firmware revision or different NIC then when the cloned system boots up, “outbound-if” will not be there “Local Area Connection 2″ will be there instead. You can’t change the device name to “outbound-if” because that name is taken by the system. There is no way to change this.

I think the idea is that those settings are tied to the MAC address (hardware). So when the hardware changes you get a default configuration as standard. In my experience I’ve never had to add extra settings and my hardware changes have always been like-for-like. It has always been a nightmare that has taken ages to fix.

What does Omnishambles mean?

January 5th, 2013

The Oxford Dictionaries UK Word of the Year 2012 was awarded to a word popularised in the BBC2 satirical policial comedy In The Thick Of It. It hasn’t been accepted into the dictionary yet. They have to wait a few years to see if it will take to the language or just get dropped.

Most of the dictionary sites don’t list it because it isn’t really a word yet like tnetennba. There aren’t many definitions that were as descriptive as the one given in the OED’s YouTube clip.

Omnishambles is used to mean any kind of situation which has been mis-managed or mis-handled and is characterised by a series of blunders.

It has derivatives for example omnishamblic.

    It also has one off or sometimes humorous coinages:
  • romnishambles - Mitt Romney’s gaff about not thinking that London was ready to successfully host the 2012 Olympics.
  • omnivorshambles - talking about the proposed badger cull in England and Wales.
  • scomnishambles - talking about Scotland’s place in the E.U. should it become an independent country.

Being in IT I’ve seen plenty of projects go belly up through poor management and mis-handling on all fronts. There have even been a few you might of heard of like the NHS fiasco. If this word had been around in 2007, I think it would have been used to describe this project. Every aspect of this project failed, and they are still dealing with the blunders.

I think this word will be used A LOT !

Free Hydrogen and Oxygen for the World

January 4th, 2013

The trouble with splitting Hydrogen and Oxygen from water is that it takes a lot of energy. This means making Hydrogen fuel cells for cars is not sustainable. Luckily those clever boffins at the Weizmann Institute lead by Prof. David Milstein have developed a brand new way to use photosynthesis to split the water.

Unlimited free Hydrogen and Oxygen, think about how that will change the world? Their will be no need for oil. Make the fuel cells small enough and we could see batteries full of water. You could refill your car from the tap or even more importantly from the rain. Imagine that! In the United Kingdom we’ed never have to stop for “water” again.

According to the Royal Institution’s 2012 Christmas Lectures the scientists have only got it to work with ultraviolet light. The catalyst metals to speed up the process may even be re-generated just by boiling it in water!

When Edison was looking for a material to put in his light bulbs, he went through hundreds of different substances looking for one which could take the current required to heat up and glow without oxidising. He tried everything from his own hair to cotton to gold before finding tungsten. There is a world wide effort to find the correct catalyst metal compound that will allow photosynthesis to work in normal day light. There are a few more variables this time but we’ll get it eventually. I can’t wait to stick it to The [Oil] Man and for the time when I never have to talk to a car mechanic.

You can read more about it here. You’d better put your chemistry head on though!

http://www.sciencedaily.com/releases/2009/04/090406102555.htm
http://www.weizmann.ac.il/Organic_Chemistry/milstein.shtml