PC-Tech

April 26, 2012

House to Garage Fiber Worklog Part 2

I received the fiber cable today in the mail and started as soon as I got home from work. The weather was kind of stormy and threatened to rain so I didn’t take any pictures of the actual pulling of cable since I wanted to get it done before it started to rain. Here’s a few pictures and descriptions.

Fiber and CAT5E enter into the garage. I will put a wall plate on it once I get my punchdown tool back from work. Hopefully I’ll do that tomorrow.

Fiber finished being ran and testing the link between the house and garage. Jperf wasn’t working very well, but on file transfers I was getting ~ 80 MB/s. I normally can hit ~115 MB/s on my desktop, but this is a just a 5400 RPM drive in my laptop.

Another shot through the door.

Closeup of the LC SFP. The switch is an HP Procurve 1400-24G.

Where the fiber exits the underground conduit and enters the garage. I have the conduit taped shut for now till I get my loom and can do a better job. I used mono expanding foam to close up the hole. I accidentally used too much here.

Behind this wall is an exterior window. The basement was framed and insulated so this wall covers up the window under my deck. I drilled a hole in the window frame and pulled the cable through. I also used mono to close the hole in the window frame.

Cable still needs to be tied up, but this is temporary for now.

Where the CAT5E and fiber come to the rack.

Picture of the core switch inside the house. It’s an HP Procurve 1800-24G. Same SFP as the garage switch.

Picture of my rack as it currently stands. It seems to change quite often.

April 21, 2012

Cisco ASA Hairpinning

Problem: Can’t access your webserver from behind the same network as the webserver using www.example.com. A Cisco ASA is used as the firewall.

Example:

www.pc-tech.ca resolves to 216.197.184.148. That then gets translated on my ASA to it’s internal IP. This all works fine and dandy, but by default, you can’t have a computer also behind the ASA access the site via www.pc-tech.ca. You need to use it’s private IP address.

Here’s how to fix that:

object-group network internal_subnets

network-object 192.168.1.0 255.255.255.0

network object 192.168.2.0 255.255.255.0

object network Public_IP

host 1.1.1.100

object network Private_IP

host 192.168.3.7

nat (inside,inside) source dynamic internal_subnets interface destination static Public_IP Private_IP

Public_IP is your WAN IP address (You could also use the “outside” object here as well.

Private_IP is your internal IP of your HTTP Server.

Internal_Subnets is the ranges of your internal IP Addresses.

Screenshot of the rule in ASDM:

April 21, 2012

How to Make a Windows 7 All In One (AIO) DVD/ISO

Tools Used: 7zip, ImageX, and PowerISO.

Step 1 – Create a new folder on your C: drive called “Image.” (In my screenshots I’m using E:, but it doesn’t matter what folder you use, I just picked C: for simplicity.)

Step 2 – Open up an ISO and extract or copy the files off of a Windows 7 (x86 or x64) DVD to the Image folder.

Step 3 – Open up your other ISOs or DVDs and copy just the “install.wim” file from the sources folder on the disc or ISO. Copy this file to C: . (In my example, E:) Rename this file to be like Win7x86 if it’s from a 32 bit image or Win7x64 if it’s from a 64 bit image. Repeat this for any images you want to include to the new disc/ISO.

Step 4 – Download ImageX and copy it to Windows\System32. Now open up an elevated command prompt window and type in the following:

Imagex /export “E:\Win7x64.wim” 1 “E:\Image\sources\install.wim” “Windows 7 Home Basic (x64)”

Imagex /export “E:\Win7x64.wim” 2 “E:\Image\sources\install.wim” “Windows 7 Home Premium (x64)”

Imagex /export “E:\Win7x64.wim” 3 “E:\Image\sources\install.wim” “Windows 7 Professional (x64)”

Imagex /export “E:\Win7x64.wim” 4 “E:\Image\sources\install.wim” “Windows 7 Ultimate (x64)”

Note: If you used a base x64 image and want to add 32 bit images to it, just change the commands from Imagex /export “E:\Win7x64.wim” 1 “E:\Image\sources\install.wim” “Windows 7 Home Basic (x64)” to:

Imagex /export “E:\Win7x86.wim” 1 “E:\Image\sources\install.wim” “Windows 7 Home Basic (x86)”

To add Windows 7 Enterprise Images use:

Imagex /export “E:\Win7x86Ent.wim” 1 “E:\Image\sources\install.wim” “Windows 7 Enterprise (x64)”

Imagex /export “E:\Win7x64Ent.wim” 1 “E:\Image\sources\install.wim” “Windows 7 Enterprise (x64)”

*The first export will take the longest and the rest will go fairly quickly. Don’t worry if it seems to be too fast, this is normal*

Step 5 – Now that you have added the images to the install.wim file, open up the sources folder and delete the ei.cfg file. This file is what tells the Windows 7 Installer what images are on the disk and which ones it can use. We want to get rid of this file so that the installer can see all of the images available to install.

Step 6 – Recreate the ISO. This step can be done numerous ways, but the easiest way I found was to open up a real Windows 7 ISO, delete all the files on it, and then copy everything from the Image folder into the image and save it as a different filename. This way it keeps the bootability and the disc name and you know that it will boot because it’s from an actual image. Now you can burn your ISO to a DVD or make a bootable USB flash drive to install it with.

April 12, 2012

House to Garage Fiber Worklog

Project: Run fiber between my house and my garage.

So I’ve been wanting to do this since we bought the house (last September). and it’s finally warm enough to start. I may put my servers in the garage, I’m not sure yet. I’ll be running 2 20 meter LC-LC SingleMode patch cables through conduit underground to the garage. On either end will be switches. On one end will be a HP Procurve 1800-24G and the other end a 1400-24G. I have the transceivers already and I ordered the fiber today. It should be here in the next week or two. 20 meters was 15 bucks. Pretty good deal I thought.

Winters here get to -40 C sometimes so I’m hoping this will hold up through the winter. I still have yet to figure out a way to protect the fiber from the conduit to the buildings. I was thinking a flexible type of plastic conduit like what you use when you wire up trailers and vehicles. Any input would be welcome as well. I may run a couple CAT5e runs as well. The garage is connected to the houses’ mains so I think I’ll be fine using regular CAT5e as a backup if the fiber craps out or something.

Spot where the conduit comes up out of the ground and near the point of entrance to the house. There’s a blocked off windows under there that I will drill a hole into and run it into the basement. That’s how my phone line comes in.

Where the fiber will exit the conduit and go into the garage. I drilled a hole just to get it lined up in the inside.

View of the outside of my house.

And again.

Getting the hole on the inside made and planned out.

Views of the room in the garage.

Again.

Got a wall plate mounted in there.

We got new desks at work this week so I took my old one home. They were going to throw it out anyways.

The room needs some work. That’s my after work project as a hobby. I’m not sure if I’ll make it my new office or a man-cave or what yet.

April 3, 2012

How to: Cisco ASA – Authenticate VPN with AD Group using LDAP

*I used a Cisco ASA5505 with 8.4.3 and ADSM 6.4 to create this tutorial.*

This tutorial will assume that you have already configured the following:
- SSL VPN (Use the Wizards – VPN Wizards – AnyConnect Wizard)
- Your VPN is working and currently authenticating via Local
- Create a group in Active Directory for your VPN users
- Create a user for LDAP. No need to change the users’ group memberships.
- Make sure you know your DN paths for LDAP to your LDAP user and your VPN Users group.

I have included pictures as well to show what steps I am doing.

1. Add your domain controller to the ASA
- In ADSM go to Configuration – AAA/Local Users – AAA Server Groups
- On the right, click add.

- Give the server group a name
- Set protocol to LDAP
- You can leave the rest of the settings at default.

- Now you need to add a server to your server group. On the same page but a little further down hit add on the right-hand side.

- Interface name should be set to inside.
- Server IP address is the IP address of your domain controller.
- Leave Timeout alone.
- Leave SSL and Port settings alone.
- Server Type is Microsoft
- Scope is All levels beneath the Base DN
- Naming Attributes is sAMAccountName
- Your login DN is your path to the user you created. In this case it’s cn=LDAP, cn=users, dc=pc-tech, dc=local. LDAP is the username, Users is the OU where the user is, and the two DC parts are split. IE domain.com becomes dc=domain,dc=com.
- Password is the password for the LDAP user that you created.
- Leave everything else at default settings.
- Hit apply at the bottom to save your settings.
(Repeat this step if you want to add other domain controllers for redundancy.)

2. Changing the Access Policy
- In ADSM again goto configuration – Network (Client) Access – Dynamic Access Policies
- Selete DfltAcccessPolicy and click Edit on the right side.

- Under the action tab change “Action” to Terminate. Hit OK.

- Now hit add. Give your new policy a name and a description.
- In the selection criteria use “User has ANY of the following AAA Attributes values.

- Click add. Change the Attribute Type to LDAP
- Attribute ID by default should be memberOF
- Hit Get AD Groups and select the VPN Users group that you created in AD. (If you can’t see the groups, verify that you have LDAP setup properly on the ASA.)
- Hit OK.
- Make action is set to Continue and hit OK.
- Hit apply at the bottom to save your settings.

3. Changing Authentication Method to LDAP.
- Go to Configuration – Network (Client) Access – AnyConnect Connection Profiles
- Select your Connection profile and hit edit.

- Change AAA Server Group to the LDAP Server group that you created.

- Hit OK.
- Hit apply at the bottom and hit save.
- Test configuration.
That’s it. You should be able to now authenticate against your Domain Controller only the users in your VPN Users group.

March 27, 2012

Awesome video.

page 1 of 1