Friday, December 22, 2006

CISCO (IOS) NAT / VPN Order of Operation

posted by Hervé SCHLECHT @ 6:05 AM

Traceroute

The Microsoft traceroute command (which relies on Internet Control Message Protocol [ICMP])

The Cisco IOS or UNIX traceroute command (which relies on a combination of User Datagram Protocol (UDP) and ICMP)

posted by Hervé SCHLECHT @ 5:59 AM

PIX Policy NAT / Outside NAT

Policy NAT lets you identify local traffic for address translation by specifying the source and destination address (and ports) in a access list. regular NAT use source address/ports anly, whereas policy NAT uses both source and destination address/ports.

With Policy NAT, you can create multiple NAT or static statements that identity the same local address as long as he source/port and destination/port combinaison is unique in each statement. You can match different global addresses to each source/port and destination/port pair.




P.J. For the host on the 10.1.2.0/24 network accessing the two different servers, we have two ways to define the coonfiguration.

The syntax for using global translations follows:

access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 255.255.255.224
access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 255.255.255.224
nat (inside) 1 access-list NET1
global (outside) 1 209.165.202.129 255.255.255.255
nat (inside) 2 access-list NET2
global (outside) 2 209.165.202.130 255.255.255.255


The syntax for using static translations follows:

access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
access-list NET2 permit ip host 10.1.2.27 209.165.200.224 255.255.255.224
static (inside,outside) 209.165.202.129 access-list NET1
static (inside,outside) 209.165.202.130 access-list NET2

Limitations :

The following configuration limitations apply to policy NAT:
•Access lists must contain permit statements only. Access lists for policy NAT cannot contain deny statements.
•An access list must be used only once with the nat command. For example, the following configuration would produce an error:

nat (inside) 1 access-list mylist-A
nat (inside) 2 access-list mylist-A

Whereas, the following configuration would not produce an error:
nat (inside) 1 access-list mylist-A
nat (inside) 2 access-list mylist-B

•Use an access list only once between the nat and static commands.
•A global address cannot be used concurrently for NAT and PAT.
•static commands are matched and executed before nat commands.
•Policy NAT does not support SQL*Net, which is supported by regular NAT.

posted by Hervé SCHLECHT @ 5:39 AM

Thursday, December 21, 2006

IMSS tokens used in notification

Tokens enable users to add supplementary information on the body of the IMSS filter action notification messages.

posted by Hervé SCHLECHT @ 7:17 PM

Tuesday, December 19, 2006

ISA URL Sets and Domain Name Sets

Strong Outbound Access Control using the ISA Firewall (2004): Using Scripts to Populate URL Sets and Domain Name Sets.

http://www.isaserver.org/articles/2004domainseturlset.html

posted by Hervé SCHLECHT @ 9:22 PM

Wednesday, December 13, 2006

WMI - Windows Management Instrumentation

WMI is the Microsoft implementation of the Common Information Model (CIM) initiative developed by the Distributed Management Task Force (DMTF). The DMTF is an association of various computer and software companies (e.g. Novell, Microsoft, Cisco, HP, etc.) developing standards in the Enterprise management space. (See http://www.dmtf.org for more information.) As large Enterprises have many computers with many software environments, managing these diverse environments can be a real challenge. In order to unify the management techniques for the sake of simplicity, the DMTF defined CIM to represent real-world manageable entities in a unified way. The CIM object model is an object data model using terms and semantic that is unique to all constructors and software developers. This object model is implemented in a database called the CIM repository.

Based on the CIM model, WMI includes real-world manageable components, available from the DMTF standards with some specific extensions that represent the various Windows components. Moreover, WMI exposes a collection of COM scriptable objects that allow various applications to take advantage of the management information. WMI is the Microsoft implementation of CIM.

As part of the installation process, most of the Microsoft applications available today (e.g. SQL 2000, Exchange 2000/2003, Office 2000/XP/2003, Internet Explorer 6.0, Host Integration Server, Automated Deployment Services) extend the standard CIM object model to add the representation of their manageable entities in the CIM repository. This representation is called a class, and it exposes information through properties and allows the execution of some actions via methods. The access to the manageable entities is made via a software component, called a “provider” which is nothing else than a DLL implementing a COM object written in C/C++ (See note at the end of this section). Because a provider is designed to access some specific management information, the CIM repository is also logically divided into several areas called namespaces. Each namespace contains a set of providers with their related classes specific to a management area (i.e. RootDirectorydap for active directory, rootsnmp for snmp information or rootmicrosoftiisv2 for internet information server information).

To locate the huge amount of management information available from the CIM repository, WMI comes with a sql-like language called the WMI Query Language (WQL).

posted by Hervé SCHLECHT @ 9:18 PM