Apr 29 2009 3:52PM GMT
Posted by: Raj Perumal
faulty switch,
using switch to split Internet,
Cisco ASA,
dropped packets through firewall,
ASDM,
Adaptive Security Appliance
So here’s an interesting issue I ran into with my Cisco ASA at home. It was working fine for quite sometime and then one day my wife told me that our Internet “was down”. I was on my wireless connection via my laptop at the time, and my wife was using one of our desktop computers. My Internet access was working perfectly but my connection goes out through a different firewall on my network. My wife was browsing through the Cisco ASA.
I went over to my wife’s desktop computer and I did all the normal Internet connectivity tests. I could communicate with the Cisco ASA fine, but I couldn’t ping outside of my network past the Cisco ASA Device. I then ran a recurring ping and I found that every few pings that I would get a successful ping but then the rest would time out. To me that says something was wrong on the external interface.
I went into my server room and checked on the connections because I have multiple firewalls hitting a switch which splits my Internet between them. Turns out the port the Cisco ASA was plugged into was faulty and dropping lots of packets. Bingo, problem solved!
-RP
Apr 29 2009 3:45PM GMT
Posted by: Raj Perumal
Cisco ASA,
SSL VPN,
RDP,
#ssh,
SSL VPN on the road,
IPSEC VPN,
SSL VPN licenses,
Adaptive Security Appliance
So you have probably heard about SSL VPN by now if you are a network administrator. This is the ability to use SSL to make a VPN connection between you and your corporate network. SSL VPN has been around for a long time but I still find that a lot of people haven’t embraced it up here in Winnipeg.
I still see customers using IPSEC VPN for the most part and then when they are on the road travelling with their laptop they have issues connecting back to their corporate network because whichever Internet cafe or airport they are in is blocking the ports required to make the connection. Well there is one port that you can pretty much guarantee will always be left open in an Internet cafe or other public access point and that’s port 443 which is what SSL VPN uses.
With the Cisco ASA, you get 2 free licenses of SSL VPN. It is extremely easy to configure and offers many plugins for VNC, SSH, and even RDP. You basically launch a web browser and connect to your domain name, for example “ssl.yourdomainhere.com” and then you can login using your credentials which can be either local or even active directory authenticated and connect to your network. From there you are given a launch web page with a few options on what you would like to connect to. As the administrator you can pre-populate this web page with bookmarks to RDP to servers, or to even SSH into a server. You can even browse the web through the SSL VPN connection to get access to web sites you normally couldn’t access through this connection instead of through your normal one.
If you own a Cisco ASA, I urge you to try out the SSL VPN functionality, if you like it you can purchase extra licenses for all your users.
-RP
Apr 29 2009 3:27PM GMT
Posted by: Raj Perumal
Twitter,
BlackBerry,
TwitterBerry,
http://orangatame.com/ota/twitterberry/,
RIM
So with Twitter getting more and more popular I finally caved in and decided to try it out. My honest opinion? It’s like Facebook without all the extra stuff. Basically like doing Facebook updates. Having said that, I have tons of friends on Twitter so I finally decided to use it. Also their are many web sites out there that publish RSS feeds through Twitter as well and it’s a neat way to keep up to date.
So where am I going with this? BlackBerries of course! There is an application for Blackberries called TwitterBerry and it’s quite easy to use! Just download the application from here directly from your BlackBerry and install it and then when you launch it enter your username and password.
From there you can update your Twitter status on the fly right from your BlackBerry without having to browse to the Twitter web page. You can also get your friends list updates and see what all your buddies are doing. A very small but convenient app for the BlackBerry!
Now if only someone would make an application that crosses over your Facebook and Twitter so if you update one it auto updates the other and syncs the status. That would be great!
-Cheers, RP
Apr 29 2009 3:16PM GMT
Posted by: Raj Perumal
WAN acceleration,
WAN optimizaton,
Cisco,
Citrix,
WAN Scaler,
NetScaler,
F5
Hi folks, here’s something that I think we should all pay more attention to…WAN Optimization! There are numerous products on the market for WAN optimization and acceleration, and they do cost a little bit of money but when compared to the long term cost savings of monthly WAN link costs you can start to see the value.
In most cities the telcos also have IT divisons that come in and consult and tell you that you need more bandwidth when you find that data isn’t moving from point A to point B fast enough. Now in some cases this might be very true, but a lot of the time I see people getting recommended to buy bigger/better/faster lines to address their bandwidth issues when more often than not the issues could be solved with proper configuration of QoS and the use of WAN acceleration/optimization.
I encourage network administrators to look into the myriad of products out there in this space, from Citrix, F5, and Cisco to name a few. Usually the telcos don’t like it when you suggest products like this because it takes away from their bottom line. 
-RP
Apr 29 2009 3:07PM GMT
Posted by: Raj Perumal
Cisco ASA,
implicit rules,
outside interface outgoing,
inside interface outgoing,
outside access out,
inside access out,
common Cisco ASA issues,
ASDM,
Adaptive Security Appliance
Hi folks, as you know I’ve been doing a lot of work with the Cisco ASA firewall products lately and I wanted to address an issue I’ve seen a few administrators run into when setting up a new ASA.
Often when you setup an ASA you are not just setting up inside out external access but you might also want to set some incoming rules for some of your servers such as web servers or mail servers. The problem I see administrators run into is that after they setup these rules they still can’t get access to the servers from the outside world.
If you take a look at the rules closely, at first look it seems like everything was configured ok and everything should be working. What I’ve found in these situations is that someone specified an inside interface outgoing rule, or an outside interface outgoing rule. By doing that you’re implicity allowing that one rule and automatically denying all else. In order to fix this, create a specific rule for the device to allow it out or just remove all the outgoing rules altogether and then the Cisco ASA will allow it by default. Which way you chose will depend on how you want to secure your network of course. Hope this helps!
-Cheers, RP
Apr 28 2009 4:15PM GMT
Posted by: Raj Perumal
Cisco ASA,
Cisco,
Static NAT,
static overlapping nat,
one to one NAT
Hi folks, I just wanted to discuss a key difference in some firewalls. One of the things you might find yourself doing, especially in a hosting scenario is creating static NAT entries. The entries are a one-to-one relationship between an external public IP address and an internal private IP address on your local or dmz network.
In some firewalls you can assign multiple public IP addresses to your external interface and in some firewalls you can’t. For the ones that you can, you can easily create multiple static NAT entries for the same internal IP. So one local IP address, but multiple public IP addresses on the same port. For example a web server that listens on port 80 for multiple public IPs.
But for firewalls that don’t bind the IP to the external interface such as the Cisco ASA, you cannot do this. If you try and do this you will get a static overlapping NAT error. How do you fix this?
You have to assign multiple internal IP addresses to your internal web server as well and then map each internal IP to an external IP. This will fix your problem!
-Cheers, RP
Apr 23 2009 5:42PM GMT
Posted by: Raj Perumal
VMWare,
ESX,
ESXi,
vSphere,
vSphere editions,
vSphere features
Hi folks, so the vSphere annoucement is now out and we have a ton of cool new features to look forward to! The announcement was all the buzz on Tuesday!
The virtual machines themselves seem beefed up with access to more RAM and CPU, and VMware is capable of more IOPS now as well. Backup is made easy with vSphere, as well as more security features introduced into the product. A more refined networking strategy was also introduced with the concept of Cisco’s virtual switch embedded in vSphere.
The editions available now are:
- Essentials
- Essentials Plus
- Standard
- Advanced
- Enterprise
- Enterprise Plus
VMware has given the customer a lot more choice and flexibility with these options and every size business should be easily able to find the right product to fit their needs.
If you own a current version of VMware with support, you will be eligible for the upgrade the moment it is released. Even though the announcement was on Tuesday, the actual software will only be available within little less than a month. I’m assuming after that happens we will see a rush for individuals to download and get quickly upgraded. Just remember to leave some older VMware servers lying around in case your upgrades don’t go as smooth as you’d like so you have somewhere to roll back. This is just part of good patching practice!
-Cheers, RP
Apr 17 2009 7:33PM GMT
Posted by: Raj Perumal
VMWare,
vSphere,
ESX,
ESXi,
vStorage,
vSwitch,
Cisco,
April 21st,
2009,
VMware announcement
Hi folks, looks like we have an announcement on the horizon! VMware has announced that they are going to be making a major announcement for vSphere on April 21st, 2009!
For those of you that don’t know, vSphere is the next version of VMware ESX (ESX 4.0). They have renamed it vSphere and it’s coming out soon. This does not bode well for Microsoft and Citrix as they will now have to play catch up again with all of VMware’s new features!
Some of the features they are announcing? vStorage and vSwitches for starters! Things are really going to start to heat up once vSphere comes out and it will be interesting to see how the competition responds. Like I always say, this competition is going to be great for the consumer!
-RP
Apr 15 2009 6:24PM GMT
Posted by: Raj Perumal
Epic,
Technology Day,
Raj Perumal,
HP,
Cisco,
Watchguard,
Citrix,
VMWare,
RIM,
conference,
Winnipeg,
Manitoba,
Victoria Inn,
The musings of an IT Consultant
Hi folks, once again it’s time for Epic Technology Day! This is the day long conference my company holds twice a year. Unfortunately due to many ongoing projects I won’t be presenting this year, but I will be in attendance.
Lots of new things to look forward to at Tech Day this year, including the Cisco Now Van which will showcase some of the cool equipment from Cisco.
Also VMware will be there as per usual speaking about their great products. HP and Citrix will also be there touting their wares. Technology day is a great opportunity to network in the Manitoba IT community and learn a lot about what’s new and wonderful in the world of technology. You can register for it here.
Hope to see you there!
-RP
