suiCCIEde

Ciscoman's notes (Записки цыщика)

вторник, 25 октября 2016 г.

Zscaler cloud proxy and obvious logical flaw in default PAC file template

 Here is the default PAC file template from Zscaler cloud security solution:

function FindProxyForURL(url, host) {
    var privateIP = /^(0|10|127|192\.168|172\.1[6789]|172\.2[0-9]|172\.3[01]|169\.254|192\.88\.99)\.[0-9.]+$/;
    var resolved_ip = dnsResolve(host);

    /* Don't send non-FQDN or private IP auths to us */
    if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(host)) {
        return "DIRECT";
    }

    /* FTP goes directly */
    if (url.substring(0,4) == "ftp:") {
        return "DIRECT";
    }

    /* Updates are directly accessible */
    if (((localHostOrDomainIs(host, "trust.zscaler.com")) ||
        (localHostOrDomainIs(host, "trust.zscaler.net")) ||
        (localHostOrDomainIs(host, "trust.zscalerone.net")) ||
        (localHostOrDomainIs(host, "trust.zscalertwo.net")) ||
        (localHostOrDomainIs(host, "trust.zscloud.net")) ) &&
        (url.substring(0,5) == "http:" || url.substring(0,6) == "https:")){
        return "DIRECT";
    }

    /* Default Traffic Forwarding. Forwarding to Zen on port 80, but you can use port 9400 also */
    return "PROXY ${GATEWAY}:80; PROXY ${SECONDARY_GATEWAY}:80; DIRECT";
}
 I don't know how, but quiet obvious error crept here, highlighted with bold:


    var resolved_ip = dnsResolve(host);

    /* Don't send non-FQDN or private IP auths to us */
    if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(host)) {
And here is the screenshot for sake of proof:




The point being here is that privateIP.test should check resolved_ip variable against regexp instead of host. That's it. So the correct variant is here:

    var resolved_ip = dnsResolve(host);

    /* Don't send non-FQDN or private IP auths to us */
    if (isPlainHostName(host) || isInNet(resolved_ip, "192.0.2.0","255.255.255.0") || privateIP.test(resolved_ip)) {

Strictly speaking, this is not only Zscaler's default PAC template error, but somehow this code snippet was spread widely across the Internet.

For example, the same error migrated here:

http://itzecurity.blogspot.ru/2016/05/pac-file-recommendation-warnings-and.html

and here:

http://findproxyforurl.com/pac-code-snippets-examples/

 and even here:

https://support.google.com/chrome/a/answer/3504945?hl=en

Certainly, at the time you will check it, error may be fixed. But this is good sign that means my blog post was notified.

Hope this helps somebody.

среда, 7 сентября 2016 г.

Quick note: How to check http server reachability if you can't resolve DNS name

Note: How to check http server reachability if you can't resolve DNS name:

Variant number one:

$ telnet 127.0.0.1 80
GET / HTTP/1.1
host: www.example.com
 
Variant number two with curl:
 
$ curl --resolve www.example.com:80:127.0.0.1 http://www.example.com/ 

пятница, 8 апреля 2016 г.

Tricks: Maximum Recursive Route Lookups IOS vs IOS XR

Just small note, primarily for myself because long time ago I was absolutely sure that maximum recursive route lookup was limited to 3rd level depth (Maybe it was changed?), actually, for IOS 15.4(2)T1 tested that 9th lookup is too many:

Check it your own if you want ;)

192.168.0.0/24 - connected network in my example:

ip route 1.1.1.1 255.255.255.255 1.1.1.2
ip route 1.1.1.2 255.255.255.255 1.1.1.3
ip route 1.1.1.3 255.255.255.255 1.1.1.4
ip route 1.1.1.4 255.255.255.255 1.1.1.5
ip route 1.1.1.5 255.255.255.255 1.1.1.6
ip route 1.1.1.6 255.255.255.255 1.1.1.7
ip route 1.1.1.7 255.255.255.255 192.168.0.2



1.1.1.1/32, epoch 0
  recursive via 1.1.1.2
    recursive via 1.1.1.3
      recursive via 1.1.1.4
        recursive via 1.1.1.5
          recursive via 1.1.1.6
            recursive via 1.1.1.7
              recursive via 192.168.0.2
                recursive via 192.168.0.0/24
                  Too many (9) levels of IP recursion truncating
1.1.1.2/32, epoch 0
  1 RR source [no flags]
  recursive via 1.1.1.3
    recursive via 1.1.1.4
      recursive via 1.1.1.5
        recursive via 1.1.1.6
          recursive via 1.1.1.7
            recursive via 192.168.0.2
              recursive via 192.168.0.0/24
                attached to GigabitEthernet0/0

  
And for IOS XR according to the documentation it limited to 128 and can be configured with recursion-depth-max command in the range of 5 to 16.

вторник, 22 декабря 2015 г.

Radius configuration trick to allow "CLID-like" filtering on ACS for l2tp/pptp

Here is "trcik" to allow l2tp/pptp client access filtering based on their IP-address for ACS 5.X
1) configure NAS with "vpdn aaa attribute nas-ip-address vpdn-tunnel-client"
This command will allow IOS to send client ip address in attribute 4 like this output from debug:
RADIUS:  NAS-IP-Address      [4]   6  1.2.3.4
2) Use "compound condition"  in ACS Access Policies - Authorization rules to match based on this attribute.
Tested on 15.1(4)M6 IOS for 7200 series router.


воскресенье, 20 декабря 2015 г.

CCIE R&S

Finally I nailed it. I passed on the first try after so much time spent since 2013... Just since June 2015 I was at both Cisco360 workshops and spent more than 400 hours labbing (workshops time is not counted) and more than 300 hours VoD from different training vendors...
Now I feel completely drained and squeezed like a lemon, time to make a pause.

воскресенье, 4 октября 2015 г.

Cisco IOS tcl simple script to use instead of interface level configuration

Example:

tclsh
set area 0
ios_config "router os 1" "router-id [ lindex [exec "sh ip int b lo0 | exclude face"] 1 ] "
foreach i {
Lo0
Et0/0
Et0/1
} { ios_config "router os 1" "net [ lindex [exec "sh ip int b $i | exclude face"] 1 ] 0.0.0.0 area $area"
}



четверг, 1 октября 2015 г.

Cisco IOS tclsh oneliner to configure vrf on interface

Example:
ios_config "int Et0/0" "ip vrf for VPNA" [exec "sh run int Et0/0 | i addr"]

More advanced stuff:
foreach i {
Et0/0.10
Et0/0.20
Et0/0.33
Tu1
s1/0
} { ios_config "int $i" "ip vrf for VPNA" [exec "sh run int $i | i addr"] }

Постоянные читатели

Поиск по этому блогу