Monthly Archives: June 2015

Extraordinary Trance/Ambient Music

Taking a break from my techie writing (and the endless yet unanswered temptations to wax political) I’ve decided to talk about music – one of my favorite things. On any other day, I could be talking about my classic rock collection on vinyl, Pink Floyd lyrics or Led Zeppelin guitar riffs. Today I’m talking about another genre I love, Ambient Trance.

Here are some of my favorite songs – none contain lyrics, because they are good enough to convey emotion without needing them. While some of these songs are pretty different, I can’t help but feel they are more than the sum of their parts. I hope to make this a constantly updated list as I remember and find more!

Boards of Canada – Pete Standing Alone

Not just because my name is in the title, but this song has a simple, subtle melody to it. It has parts that uplift and parts that make you introspective.

Boards of Canada – Everything You Do Is A Balloon

Another Boards of Canada song – I love these guys. It takes a while to get started, but lay back on your couch and close your eyes while listening to this song – I bet you’ll have some amazing memories come back to this wonderful soundtrack.

Richard Devine – Randale

I have to admit, I’ve not really fallen in love with much of his other stuff. But this song is … an amazing journey. It reminds me of my first heartbreak on one hand, and a long weekend as a child playing at a beach-front campground on the other.

Chicane – Offshore

I could include almost everything ever done by Nick Bracegirdle! This song has been listened to for almost twenty years of life and it still holds the same amazing feeling that it did in 1997.

Moby – Everloving

Moby has a special place in my heart. He’s such a good musician, truly understanding the human connection with the art. This song tears at my heart like flying away from a loved one for the last time, and warms it at the same time like a sunset on the ocean.

Carbon Based Lifeforms – MOS 6581

I dare you to listen to this song and not question everything you know about life.

Symbion Project – Our Breath Shall Intermix

First, I’ll openly admit this isn’t like the others. It takes forever to really start, it’s very slow paced and is almost three different movements in one song. But I’ll be damned if it doesn’t feel like I’m being ripped out of my chair and shown something amazing.

Royksopp – Royksopp Forever

Royksopp does some really, really cool stuff. This song blows their normal work out of the water. An epic summary of just about every gratifying or painful life event I’ve experienced.

H.U.V.A. Network – Cobalt

I discovered this song thanks to Pandora on a long nighttime drive about 6 months ago. Significantly more clubby than my other selections, this song definitely imparts a very cool, calm and mellow energy on you when listening.

Service Account Issues with SEPM 12.1.6 on SBS/DC Machine

Quick, quick note on a long and tired day…

In trying to (re)install Symantec’s Endpoint Protection Manager on a client’s SBS server (obviously containing a DC and other roles) I received this message, shamelessly copied from Symantec’s KB article:

SEPM-Error1

The message reads “Symantec Endpoint Protection Manager services require user rights in Windows domain security policies. The management console cannot run until you assign user rights to the services in the specified policies:”, in my case the GPO in question was the Default Domain Controllers Policy not giving NT Service\semwebsrv and NT Service\semsrv service accounts the SeServiceLogonRight permission as obviously would not be contained in that GPO.

The catch? I couldn’t add them – the GPO won’t let me add the account name because it doesn’t resolve, instead giving me the error The following accounts could not be validated: NT Service\semsrv:

SEPM-Error2

Some quick research showed me the sc showsid <servicename> command. Thinking I’d be slick, I did a sc showsid semwebsrv and sc showsid semsrv, copied the SIDs and pasted them into the GPO, did a gpupdate /force and clicked the “Try Again” button in the Symantec window – problem solved.

SEPM-Error4

Backscatter SPAM

A quick tidbit of information on Backscatter SPAM, as I fix a customer’s servers …

Backscatter SPAM is a way for Mr. Spammer to email Mrs. Victim indirectly. Mr. Spammer sends an email spoofed from Mrs. Victim’s account to a non-existent account on your domain and server. If things are set up (in)correctly, your email server will accept that email, find out it cannot deliver it and then send the email back to what it thinks the sender’s address is – Mrs. Victim – effectively delivering the message while trying to be helpful.

Here’s what a mail queue will look like full of Backscatter SPAM:

Backscatter

You’ll have a bunch of Undeliverable: messages sitting in your queue, not delivered because the remote end is refusing it (identifying it as SPAM) with a 400 4.4.7 Message Delayed error. You might even find yourself on a blacklist.

Fixing this is (fortunately) pretty easy on an Exchange server – here’s my four-step fix.

Turn off NDR Reports for External Domains

This is simple. Open the Exchange Admin Console and go to Organization Configuration -> Hub Transport. Once there, a tab for Remote Domains will be visible – click that, and configure each domain as shown:

Backscatter2

(For each remote domain, uncheck Allow non-delivery reports in the Message Format tab)

Turn On Recipient Filtering

Many people disable the Exchange Anti-SPAM options to reduce trouble, but the Recipient Filtering service can only help things – reject emails destined for non-existent mailboxes before you accept the message. In Organization Configuration -> Hub Transport, select Anti-spam. Right-click Recipient Filtering to enable it, then edit it as shown below:

Backscatter1

(In the Blocked Recipients tab, make sure Block messages sent to recipients that do not exist in the directory is checked.)

Clear out your Mail Queue

Open the mail queue appropriate for your Exchange (Exchange 2007-2013 have it in the Exchange Console) and delete any messages (obviously without NDR) that are stuck. Simple enough.

Check for blacklisting

Using a service like MXToolbox or the like, check your IP for any blacklist entries and perform the necessary steps to remove yourself – but only after the above steps, or you’ll end up right back on it – and sometimes, ending up back on it enough times can result in a permanent ban!

 

Cisco ASA IPSEC VPN Tunnel (with NAT!)

I’ve been asked about this a number of times on the job. You have to create a VPN tunnel between two ASA devices – using the command line. There’s also a twist – the IP address of your destination device(s) is already in use by someone else they’ve peered with, so you’ll need to NAT your device’s IP address(es) when speaking to the remote end.

Take this diagram:
CiscoVPNwithNAT1

Let’s make a few assumptions, then onto the configuration:

  • We’re routing between two hosts on the remote end and one on the local end
  • You’ll be using NAT to present your local host (192.168.1.20) as 192.168.40.97
  • Your remote peer is 205.206.207.50
  • Phase 1: ISAKMP, AES-256 Encryption, SHA1 hashing, Group 5, Lifetime=86400
  • Phase 2: ESP Encapsulation, AES256 Encryption, SHA hashing

My config (with explanations):

Group our remote addresses together:
object-group network REMOTE_VPN_IPs
 network-object 10.20.30.1 255.255.255.255
 network-object 10.20.30.2 255.255.255.255

This ACL is used to NAT traffic below:
access-list REMOTE_VPN_REWRITE extended permit ip host 192.168.1.20 object-group REMOTE_VPN_IPs

This ACL matches traffic for our VPN tunnel - notice the rewritten address:
access-list outside_5_cryptomap extended permit ip host 192.168.40.97 object-group REMOTE_VPN_IPs

This Static NAT statement re-writes traffic to the new address:
static (inside,outside) 192.168.40.97 access-list REMOTE_VPN_REWRITE

We need a transform set for our next statements:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

We're creating a unique crypto map (in our router, this is the fifth VPN tunnel):
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group5
crypto map outside_map 5 set peer 205.206.207.50
crypto map outside_map 5 set transform-set ESP-AES-256-SHA

We need to create an ISAKMP policy allowing Phase 1 traffic:
crypto isakmp policy 110
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

And our tunnel-group:
tunnel-group 205.206.207.50 type ipsec-l2l
tunnel-group 205.206.207.50 ipsec-attributes
 pre-shared-key Pr3$h@ReDK33

Hope this helps someone!

Flashing a Cisco 1130AG WAP to Autonomous Mode

The Cisco 1130AG can ship as a lightweight WAP, designed to connect to a Wireless LAN Controller for its configuration and setup. However, sometimes you just want it to act like a basic WAP – this is how you reflash the device as such.

  1. Probably the most annoying/difficult step – download the firmware from cisco.com for your specific model.
  2. Download and install a TFTP Server. I use 3CDaemon, but it appears discontinued. You might try this TFTP Server.
  3. You’ll want to connect a laptop or desktop to the same L2 Collision Domain (same VLAN, etc) as the WAP(s). On that NIC, configure an IP address of 10.0.0.2 (or .3->.30), /24.
  4. Start your TFTP Server. Place the firmware you downloaded in whatever root folder is used by the TFTP software and rename it c1130-k9w7-tar.default (different models will have different file names).
  5. Unplug the device, and then plug it back in while holding the Mode button down. Wait 20 seconds until the R light turns solid red. At this point:
    1. The WAP will assume an IP Address of 10.0.0.1;
    2. It will attempt to download the above filename using TFTP from 10.0.0.2
    3. If it does not connect or see that file, it will repeat for 10.0.0.3 through 10.0.0.30.
    4. Once the file is downloaded, it will flash and reboot to factory defaults.
  6. Check your DHCP Server for a lease matching the device’s MAC address (mine began with 68:EF:BD) and telnet to the device’s IP.
  7. Log in with Username = Cisco, Password = Cisco.
  8. Copy your favorite config file over.

Here’s what the Cisco 1130AG looks like:
Cisco_1130AP

Speaking of which, a typical configuration might look like this:

!
! Last configuration change at 18:15:28 UTC Thu May 14 2015 by Cisco
! NVRAM config last updated at 18:15:31 UTC Thu May 14 2015 by Cisco
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname wap-hostname-here
!
logging rate-limit console 9
enable secret 5 <Redacted>
!
no aaa new-model
ip domain name your-domain.local
ip name-server 192.168.1.10
ip name-server 192.168.1.11
!
!
dot11 syslog
!
dot11 ssid YOUR-SSID-HERE
 authentication open 
 authentication key-management wpa version 2
 guest-mode
 wpa-psk ascii 7 <Redacted>
!
!
!
username Cisco privilege 15 password 7 <Redacted>
username second-admin privilege 15 password 7 <Redacted>
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers aes-ccm tkip 
 !
 ssid YOUR-SSID-HERE
 !
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1 (Management Address)
 ip address 192.168.1.12 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
logging 192.168.1.254 (Syslog Server)
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 login local
!
sntp server 192.168.1.10
sntp server 192.168.1.11
end

 

Simultaneous VPN Users on Cisco ASA

A quick-and-dirty post for Cisco ASA Users who have people logging in from different devices – say, a doctor’s office with doctors who might like their tablets, laptops and home computers connected all at once…

Normally, they are are limited to one simultaneous session per username at a time, but you can change this (by the user or by the tunnel policy).

By Username:

test-FW(config)# username example-name password test-password
test-FW(config)# username example-name attributes
test-FW(config-username)# vpn-simultaneous-logins 4
test-FW(config-username)# exit

By Policy:

(Find Policy)
test-FW# show run tunnel-group
[Deleted]
tunnel-group SSLAccess type remote-access
tunnel-group SSLAccess general-attributes
 default-group-policy SSLVPN
tunnel-group SSLAccess webvpn-attributes
 group-alias RemoteUsers enable

test-FW# config t
test-FW(config)# group-policy SSLVPN attributes
test-FW(config-group-policy)# vpn-simultaneous-logins 3

Don’t forget to write mem or copy running-config startup-config!