StaticNAT

From a Network Engineer’s point of view this is exactly what is wrong with todays home networking methodology. Every night when I get home from work I follow the same rough routine. I plop down on the couch power on my laptop and connect to my home network via wireless. After doing so I check my connection logs for the day to my AP, my overall bandwidth usage via PRTG and my syslog server messages from my firewall. I do this to ensure that all is well on my little spoke of the internet. But I know for a fact that those of us who perform this little daily dance are in the minority. Instead what you get is scores of people purchasing wireless routers and just throwing them on their cable or DSL modem and going on with life, like they didn’t just leave their front door open with a big neon WELCOME HACKERS sign over it. Read the rest of this entry »

From time to time I’ll just post these quick little snippets of code. Honestly, this is so I have a reference for them in the future. This set comes from troubleshooting why my VPN would connect but not allow me to see the networks I had allowed in my VPN GROUP ACE.

This command allows the ASA to detect VPN clients behind NAT device’s and encapsulates the traffic into UDP on port 4500. Click on the command to see the detailed description and usage of this command.

crypto isakmp nat-traversal 20

sysopt connection permit-vpn

Wow…crazy past few days.  We have had lots of snow and bitter cold temperatures here in Ohio this week.  That has led most of my education clients to be closed since Monday.  While this may not be great for them it has allowed me to get into their buildings and perform some major upgrades that have been stalled to activities in buildings.  However I guess while I was transitioning a school to a new IP address scheme and implementing routing and VLANs the a big chunk of the internet got slammed.  I only bring this up because as we speak I am connected using my XV6700 as an EVDO modem because it appears my education clients are down due to a DDOS attack upstream of them.  Not allot more to say just figured I would cover yesterdays story and throw in my current headache.  However the one good point is that I have proven my investment in my XV6700 as valid as a source for testing VPNs and as emergency internet access during outages.

We I am still behind in getting configs published. But please know that they are coming. This is a hobby for me and like most hobbies it is lower in my priority queue than work and family. One of the items that took priority this week was a conversion from a pair of PIX 515sto ASA-5540s with AIP-20s.

I learned a lot about traffic, hardware limitations and marketing with this project. This whole project started shortly after an upgrade from a DSL to their upstream provider to a 100 Mbit Circuit. Along with the circuit upgrade they customer also started using a WebApp provided by their upstream provider that generated alot of connections but not allot of bandwidth. To make a long story short we ended up having sudden outages that would come and go with no explanation…that is until I checked the connections on thier PIX 515. During outages they were running between 148,000 to 160,000 connections and their pic was designed to handle 120,000. We could have performed connection tuning on the PIX but the client was ready to move on to an ASA. Read the rest of this entry »