Step 1. Access List

NOTE: You can specify IP addresses or traffic types here.

ip access-list extended <VOICE>
 permit udp any any range 16384 32767
ip access-list extended <VOICE-CONTROL>
 remark Match VoIP Control Traffic
 remark SIP
 permit tcp any any range 5060 5061
 permit udp any any range 5060 5061
 remark SCCP
 permit tcp any any range 2000 2002
 remark H323 Fast Start
 permit tcp any any eq 1720
 remark H323 Slow Start
 permit tcp any any range 11000 11999
 remark MGCP
 permit udp any any eq 2427

Step 2.  Class Map

NOTE: The ‘match-all’ or ‘match-any’ commands are like using AND/ OR for the access lists specified.

class-map match-all <VOICE-CONTROL>
 match access-group name <VOICE-CONTROL>
class-map match-any <VOICE>
 match access-group name <VOICE>
 match ip dscp ef
 match ip precedence 5

Step 3.  Policy Map

NOTE: The ‘priority’ command is the same as bandwidth but gives this traffic first access to bandwidth. You can only specify this command once.

policy-map <VOICEWAN>
 class <VOICE>
    priority <number-kbit>
 class <VOICE-CONTROL>
    bandwidth <number-kbit>
 class class-default
    fair-queue

Step 4. Interface Configuration

interface <outside_interface>
 bandwidth <number-kbit>
 bandwidth receive <number-kbit>
 service-policy output <VOICEWAN>

What’s so hard about that?

Jump over to http://www.microsoft.com/forefront/threat-management-gateway/en/us/default.aspx and check out the details on Forfront Threat Management Gateway (FFTMG). Building on the new Windows Server 2008 network stack there are several new features that administrators (myself included) have been crying for:

• Support for dual/ failover internet links. (using a separate fibre service for remote access and publishing plus a DSL2 service for web access.)
• Publishing (Static NAT) rules apply to both inbound and outbound traffic. (ISA would always NAT outbound connections on default IP address.)
• Category based Access lists (requires additional licenses) to filter traffic for “Social Networking” or “Known Virus URL’s”.
• Support in a Hyper-V or ESXi or XenServer virtualised environments.
• ONLY RUNS on Windows Server 2008 x64 eddition!!!

The old ISA server team blog has been updated to reference TMG now also; there are half a dozen articles available here that may help with deployment considerations.

Once 802.11n was released as a certified standard, I started looking around for a new Access Point that would be able to support the HD video content I use around the house. Reading over the forums and reviews I came upon SmallNetBuilder and their review of the NetGear WNDR3700 Wireless GBit router.

The device ran duel radio’s 802.11abgn, had 4x GBit interfaces and wouldn’t break the bank. My current NetComm 3G18Wn was running 11n but only had 100Mbit ports and didn’t work properly with the iPhone. When I received the device I swapped it in place of the NetComm leaving all the wireless details the same.

• GOOD: One of the funky features is when using Windows 7, WINDOWS takes you through a wizard to configure and secure the access point. Simply put in the PIN from the bottom of the device, next, next, finish and your AP is configured.
• GOOD: All my existing devices connected without any hassles and transfers between the WHS and PC are much faster using the built-in GBit switch.
• GOOD: There are buttons on the front of the AP which let you enable and disable the wireless plus unlock it for several seconds to let a new device associate.
• BAD: My only problem with the device is that it expects to be the internet gateway for your network. If your lucky enough to have a CISCO 877 (with IPv6) as your DSL modem and firewall, the WNDR3700 cannot use a LAN address as the default gateway.

OPINION: Well the title says it all. If you don’t have a 11n access point at the moment, go pick up one of these. It associates at 300MBit and I get at least 80-90Mbit/s throughput over the wireless around home. It can stream WTV files to the MCE plus DVDs to the NetBook at the same time.

Simply create your Class C address ranges, each in a separate DHCP scope. Then select all the new scopes and add them to a new superscope. Now when any clients from this network request addresses, they will be sent any address from the appropriate range. More information is in KB161571.

What you don’t do is use Superscopes to group several VLAN’s at a single site. That just breaks stuff. (Trust me)

The Repeater configuration we used are:

The CISCO Router Configuration we used is:

ip wccp 51 redirect-list wccp_redirect
ip wccp version 2
!
interface FastEthernet0/0
 Description ‘Internal LAN Interface’
 ip address 10.228.3.101 255.255.255.0
 ip wccp 51 redirect in
!
interface FastEthernet0/1
 Description ‘WAN Link’
 ip wccp 51 redirect in
!
ip access-list extended wccp_redirect
 permit host <SourceIP1> any
 permit any host <SourceIP1>
 permit host <SourceIP2> any
 permit any host <SourceIP2> 

You can use the command ‘show ip wccp 51 detail’ and ‘show ip wccp’ to check the tunnel before adding the ‘ip wccp 51 redirect in’ command on the interfaces. And believe me, you don’t want to leave a ‘debug ip wccp packet’ active on a production device that routes 30Mbit of wan traffic. Just in case the redirect list is wrong and the router tries to display all packets flowing through it….

Telstra likes to provide a 10MB document outlining how RADIUS works but not how to configure it. Here is a working example of IAS configuration for the Telstra RADIUS servers.

 Step 1: Install IAS (Internet Authentication Service) from the Add/ Remove Programs – Windows Components menu.

Step 2: In the IAS console, under remote access policies, define a new policy to permit group members dial-in access.

Note that access can be granted to all users by specifying the ‘DOMAIN\Domain Users’ group or to a select set of users by using a new group eg. ‘DOMAIN\NextG Dial-up’.

Use default configuration for all Remote Access Policy tabs, specifying the following settings:

Advanced
Name                                                Vendor                                                 Value
Ascend-Client-Primary-DNS   Ascend Communications Inc.   <DNS Server IP>
Framed-Pool                                  RADIUS Standard                            pool_001
Framed-Protocol                         RADIUS Standard                            PPP
Service-Type                                 RADIUS Standard                            Framed

Authentication
No EAP Methods
MS-CHAP v2 (Change Password after Expired)
MS-CHAP (Change Password after Expired)
CHAP

Encryption
x Basic (MPPE 40-bit)
x Strong (MPPE 56 bit)
x Strongest (MPPE 128 bit)
- No encryption

Step 3: Create the RADIUS Clients for both Telstra RADIUS proxy servers. Note that if you manage the default gateway for your site, you will need to send traffic to these IP Addresses via your Telstra WAN link. (Yes I know they are Internet IP addresses….)

Step 4: For any users that need to authenticate via Radius, you will need to enable ‘Store password using reversible encryption‘ on the account and have the user change their password. This can either be done on a per-user basis or in the default domain GPO. Note: That as reversible encrypted passwords, if a Domain Controller was ever compromised by an attacker, they can easily read the current passwords for users off the SAM.

Step 5: Test access using the <Username>@<TelstraSpecifiedDomain>. Note that access logs for IAS are stored in the System Event Log.

I realise you will probably never need to know this but I’ll bet my bike I will run into this problem again in the future. You will need to forgive the Double-Dutch, this is the code strait from the Telstra Tech’s mouth.

• Under Dial-SMC
• Operations to RAN
• SS-Accept
• Interfere RADIUS
• Attribute 88
• Framed Port = Att 88 = none (default = gen/sub)

I hope this helps you as much as it did me.

This diagram shows the example IP address configuration for the sites.

Using the ISA Site-to-Site VPN Wizard, create a site using the default values. When prompted for the VPN tunnel endpoint, be sure to enter the Outside address of the Router.

The ISA Server configuration should be:

————————————————————
Local Tunnel Endpoint: 1.1.1.1
Remote Tunnel Endpoint: 2.2.2.2

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication method: Pre-shared secret (demosecret)
    Security Association lifetime: 28800 seconds

IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time rekeying: ON
    Security Association lifetime: 3600 seconds
    Kbyte rekeying: OFF

Remote Network ‘LSE_VPN’ IP Subnets:
    Subnet: 192.168.0.0/255.255.255.0

Local Network ‘Internal’ IP Subnets:
    Subnet: 10.0.0.0/255.255.255.0
————————————————————

The necessary CISCO Router configuration should be:

————————————————————
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key demosecret address 1.1.1.1 no-xauth
!
crypto ipsec transform-set ISA_2006 esp-3des esp-sha-hmac
!
crypto map Head_Office 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set ISA_2006
 set pfs group2
 match address 102
 reverse-route
!
interface (inside)
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface (outside)
ip address 2.2.2.2 255.255.255.0
ip nat outside
crypto map Head_Office
!
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 101 remark Permit_Outbound_NAT
access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Forward_Through_VPN
access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
!
route-map nonat permit 10
 match ip address 101
————————————————————

The CISCO ASA Device configuration should be:

————————————————————
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
access-list In_to_out extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_20_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
!
global (outside) 1 interface
access-group In_to_out in interface inside
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set pfs
crypto map outside_map0 20 match address outside_20_cryptomap
crypto map outside_map0 20 set pfs
crypto map outside_map0 20 set peer 1.1.1.1
crypto map outside_map0 20 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key demosecret
————————————————————

For more information on the PIX/ Router/ ASA VPN configurations, have a look at PIX to Router, Router to Router or List of Configuration Examples.