AndreasT's questions

Is it necessary for a router, that inside and outside are on a different (sub-)net?

As an example: We have the following setup in the field:

• Network: 10.10.1.0/28
• R1: Router with R1.outside access to internet
  • R1.inside: 10.10.1.1:
• R2: Router creatig VPN Tunnel to system on the internet
  • R2.outside: 10.10.1.2 with 10.10.1.1 as default gw
  • R2.inside: 10.10.1.3
• C: Ethernet capable controller
  • 10.10.1.4 with 10.10.1.4 (R2.inside) as default gw
• All those interfaces are plugged into one switch (except R1.outside, which usually is a GPRS connection)

                     ^
                     |
                     |
           +---------+-------+
           |      Outside    |
           |                 |
           |    R1           |
           |                 |
           |      Inside     |
           +-------+---------+
                   |
                   |
                   |
                   |
  +-------------------------------------------+
  |                |                          |
  |  Switch   +    +      +           +       |
  |           |           |           |       |
  +-------------------------------------------+
              |           |           |
              |           |           |
              |           |           |
    +---------+--------+  |   +-------+-------+
    |      Outside     |  |   |               |
    |                  |  |   |               |
    |  R2              |  |   |      C1       |
    |                  |  |   |               |
    |      Inside      |  |   |               |
    +---------+--------+  |   +---------------+
              |           |
              +-----------+

The question in more detail:

• by definition: Is there anything in the definition of a "router" that would disallow that setup? (Could not find anything in rfc1812 but I may have overlooked it)
• in practice: Is there any practical reason, common implementation details etc, that would make this setup wrong or seriously discouraged?

(Edit: To clarify: The topology is a given. It may be ugly. It may have implications. The question is: Is it wrong?)

I have a Windows Server 2012 server that is administered via RDP. Every so often, (lets say, once every quarter ?!?) I get asked to accept a new certificate. It is not in a Domain and not rolling as a Terminal Server.

I have a route there for which a Man in the Middle Attack is relatively unlikely.

So here are my questions:

• That certificate changes without me being asked, or it being a big patch day. How alarmed should I be?
• What triggers Windows to regenerate this cert? I know it happens on Windows7 hosts sometimes, but for Servers I thought security would be kind of interesting.
• Can I somehow verify, that there's no man in the middle?

I have an ASA (A) with a set of public IPs (A1..A6). And I have another server S with a public IP (S1) .

I want all traffic to A2:22 NATed (forwarded) to S1:22. (SSH is just an example here) If possible I want the traffic to not even touch the inside interface.

(How) can I do that?

I tried:

  access-list outside_access_in line 26 extended permit tcp any host S1 eq ssh 

  access-list outside_access_in line 26 extended permit tcp any host S1 eq ssh 
  static (outside,outside)  A2 S1 netmask 255.255.255.255 tcp 0 0 udp 0

But that, according to the packet tracer, always dies on the implicit incoming drop rule on the outside interface. I even tried to satisfy it by using a "drop all your pants" any:any rule, with no luck.

I am aware that this is not enough to really make it work. But can it actually work?

I have a Server behind a Port-forwarding Firewall.

Server <---> Firewall <------> NAT Port 222
                 |
                  -----------> VPN

I can ssh per key into it from the VPN. Doing this on server:

sever:~> ssh-keygen -lf /etc/ssh/ssh_rsa_host_key

Shows the HOSTKEY

I try to ssh into it from the outside:

ssh server.external 

Results in "REMOTE HOST IDENTIFICATION HAS CHANGED"

 The fingerprint for the RSA key sent by the remote host is
 HOSTKEY.EXTERN

The fingerprints HOSTKEY and HOSTKEY.EXTERN are different.

If I ssh into it via the VPN and its internal IP all is fine.

2 Questionts:

1. Why are HOSTKEY.EXTERN and HOSTKEY fingerprints different?
2. How can I check the reported host key from the outside?

EDIT: Answer to Part 2 and more strange findings:

I now did 'ssh-keyscan server' internally and externally, two different keys are the result.

ssh-keyscan server.external > server.external.keyscan
ssh-keyscan server.internal > server.internal.keyscan

then I fingerprint those:

ssh-keygen -lf server.external.keyscan
ssh-keygen -lf server.internal.keyscan

Two different fingerprints. I do not get it.

I have a VM host on the internet with my own subnet. I intended to use bridged networking and simply add my one physical NIC to the bridge and be done. But that had several downsides, not the least of which seemed to be a buggy driver.

Can I set up a public bridge without adding the physical NIC? with guests and their public IPs on it?

I tried to do it simply by routing, but that doesn't seem to work completely:

Guest: ip route default via <host> dev br0
ip route add <host> dev br0  # May be redundant.

Host: ip route add <guest>/32 via br0;

External access is still not working, as the host does not seem to tell others that "Ey I have access to those other IPs!" My guess is that I need some kind of arp trickery to finish what I started. (?)

I know that certain google products automatically access Google's blacklist database. Can I do the same? Is there maybe a cleaned-up dns server against which I could verify my own dns queries? Or some Webservice I could use?

I have a linux firewall, so I can do almost anything programmatically.

I have the following problem: I have a server with a rather dynamic network configuration and need to configure routes on it with the IF parameter:

route add  ... mask ... ... if ?

Is there a reliable way, manual and or programmatical, to get that interface number if I know just about everything else about that adaptor?

I have a Windows Server Box with 2 NICs sitting in 2 Networks with a Gateway Router to a 3rd: e.g.:

A: 10.1.1.0/24 - Remote Network
B: 172.1.1.0/24 - "DMZ" with GW Router to Network A on IP 172.1.1.1
C: 192.168.1.0/24 - Local LAN - Default Gateway 182.168.1.1

NIC1 is in Network B: 172.1.1.5
NIC2 is in Network C: 192.168.1.5 - gets settings via DHCP

I want to have access to/from network A. When I set the default gateway on NIC1 to 172.1.1.1 I can reach network A, but a config with 2 different default gateways is considered problematic/broken.

How to best solve this?

My first intuition was to set a route to network A via the router on network B:

route add 10.1.1.0 mask 255.255.255.0 172.1.1.1

Problems:

• The route gets ignored. The command answers with OK!, a subsequent 'route print' does not list that route

What is the easiest way to delete a Site2Site IPSec tunnel? The ASDM seemingly does not offer that functionality. I have to go to various tabs to delete the different elements that were created by the vpn wizard. The IPSec/IPSec Rules tab does not even accept changes (apply button does not activate after changes, just saving doesn't do anything either)

ASDM Version    5.2(4)  ASA Version 7.2(4)
Java Version    1.7.0_17    OS  Linux 3.2.0-4-amd64

Is there a way, maybe in the cli, to delete an IPSec tunnel with its associated config parts?

We have long ago switched off our Windows Domain. A user came in with his laptop, that was still a member of it. I think the Desktop and files were synced with the fileserver, but that doesn't exist anymore either. So Windows saved the files locally. I copied the user's local directory (C:\users\) and copied it to a safe location(s), which succeeded without errors (so I didn't completely check if everything was there). I assumed that would get me all the user's files.

Then I took the computer out of the domain.

Now I noticed "My Documents" seems to be Empty, which would be very bad. The Desktop came over, the Documents didn't. I did the copy multiple times without errors.

I guess windows simply removed them when the computer was taken out of the domain, and didn't copy them because (maybe) I copied them as the local Administrator.

Is there some place on the disk I could perhaps find these files?

I am using libvirt to control kvm on a fairly new (core i3) host running Debian Squeeze amd64. The Host as well as Linux guests work and feel fast and responsive. Simply installing Win7 with virt-manager standard profile for windows7 takes forever. I mainly blame the disk io, but Windows generally does not seem as responsive as linux guests.

Do you have some hints regarding performance optimal settings for Win7 guests on kvm?

(Sorry for the many dumps, but I think they are good as a point of reference.)

Host Konfiguration:

kvm: Version: 1:0.12.5+dfsg-5+squeeze8
libvirt-bin: Version: 0.8.3-5+squeeze2

virsh dumpxml:

<domain type='kvm' id='27'>
  <name>win7-template</name>
  <uuid>a4eb05fa-0d4e-5ced-2ff1-e15507795d1b</uuid>
  <memory>2097152</memory>
  <currentMemory>2097152</currentMemory>
  <vcpu>2</vcpu>
  <os>
    <type arch='x86_64' machine='pc-0.12'>hvm</type>
    <boot dev='hd'/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <pae/>
  </features>
  <clock offset='localtime'/>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>restart</on_crash>
  <devices>
    <emulator>/usr/bin/kvm</emulator>
    <disk type='file' device='disk'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/win7-template.img'/>
      <target dev='hda' bus='ide'/>
      <alias name='ide0-0-0'/>
      <address type='drive' controller='0' bus='0' unit='0'/>
    </disk>
    <disk type='file' device='cdrom'>
      <driver name='qemu' type='raw'/>
      <source file='/var/lib/libvirt/images/isos/de_windows_7_professional_with_sp1_x64_dvd.iso'/>
      <target dev='hdc' bus='ide'/>
      <readonly/>
      <alias name='ide0-1-0'/>
      <address type='drive' controller='0' bus='1' unit='0'/>
    </disk>
    <controller type='ide' index='0'>
      <alias name='ide0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x1'/>
    </controller>
    <interface type='network'>
      <mac address='52:54:00:af:89:f2'/>
      <source network='default'/>
      <target dev='vnet2'/>
      <alias name='net0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
    </interface>
    <serial type='pty'>
      <source path='/dev/pts/5'/>
      <target port='0'/>
      <alias name='serial0'/>
    </serial>
    <console type='pty' tty='/dev/pts/5'>
      <source path='/dev/pts/5'/>
      <target type='serial' port='0'/>
      <alias name='serial0'/>
    </console>
    <input type='tablet' bus='usb'>
      <alias name='input0'/>
    </input>
    <input type='mouse' bus='ps2'/>
    <graphics type='vnc' port='5902' autoport='yes'/>
    <video>
      <model type='vga' vram='9216' heads='1'/>
      <alias name='video0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0'/>
    </video>
    <memballoon model='virtio'>
      <alias name='balloon0'/>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x04' function='0x0'/>
    </memballoon>
  </devices>
</domain>

cat /proc/cpuinfo (snippet)

processor   : 3
vendor_id   : GenuineIntel
cpu family  : 6
model       : 37
model name  : Intel(R) Core(TM) i3 CPU         540  @ 3.07GHz
stepping    : 2
cpu MHz     : 3058.386
cache size  : 4096 KB
physical id : 0
siblings    : 4
core id     : 2
cpu cores   : 2
apicid      : 5
initial apicid  : 5
fpu     : yes
fpu_exception   : yes
cpuid level : 11
wp      : yes
flags       : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp lm constant_tsc arch_perfmon pebs bts rep_good xtopology nonstop_tsc aperfmperf pni dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 popcnt lahf_lm arat tpr_shadow vnmi flexpriority ept vpid
bogomips    : 6117.86
clflush size    : 64
cache_alignment : 64
address sizes   : 36 bits physical, 48 bits virtual