Google AdSense Account Login Bug…

I am only posting this because I found a bug in Google’s account ID logic. If you encounter this bug, its very difficult to rectify, especially since there is no direct phone or email AdSense support – only online forums.

Whats the bug?

So an AdSense account is tied to a main google account. This could be your G Suite email, like user@domain.com or generic Gmail google account like user@gmail.com. The account is then associated with a website, say www.domain.com. A website entity can only be assigned to a single account. So here is the bug occurs:

  1. You setup G Suite for business so you can use Gmail with your own domain, lets call this domain foo.com and your G Suite login/account is bob@foo.com.
  2. Over time, you decide to show ads on your foo.com website, so you signup for AdSense using your bob@foo.com google account.
  3. Everything works great, your making money showing Ads.
  4. One day you decide you dont want to use Gmail for email services, you want to move your foo.com email service to another party. So you go into G Suite and cancel all G Suite for foo.com. At this point, your bob@foo.com google account is deleted.
  5. A few months go by and forgot about the AdSense stuff, so you try to login to AdSense… But WAIT.. your AdSense login was bob@foo.com google account, which doesn’t exist now, so you cant login.
  6. You assumeall accounts are deleted that are associated with bob@foo.com so you create a new free generic gmail account, like bob.foo@gmail.com.
  7. You create an AdSense account for bob.foo@gmail.com and associate it with your foo.com website. When you do this, Google analyzes your site and says to check back in 24 hours.
  8. The next day you get an email from AdSense that looks like this:

The problem is none of these options will help you because its IMPOSSIBLE to login to AdSense as bob@foo.com. You are now in this paradox where google has an old invalid account preventing you from creating a new AdSense account, and there is no way to delete the account, nor is there a way to easily contact Google to have them fix this anomaly.

What do you do? 

After many AdSense forum posts, someone (presummably from Google) sent me a link to a hidden form submission page:

https://support.google.com/adsense/contact/cant_log_in

This page gathers basic info, though it still lacks the option to describe whats really going on, then sends to a human at Google. I recommend in the box where it asks about browser issues, type in an explanation of the bug.

 

Using sed to edit files in place…

The other day I ran across a scenario where I needed to edit a file via a web app. Seems simply, but the file permissions were tricky and I didn’t have the rights to delete the file then re-create again since the top level directory permission wont allow it. So the easiest solution is to use sed to edit the file in place. The sed command can be called from inside the web app as long as the file we are editing has the proper permissions.

What is sed?

sed is a Stream Editor, hence the name. Normally you would use it to edit data coming in via STDIN or a STDOUT redirect. But the “-i” flag allows you to edit a flat file in place. Lets look at a few examples, take the following file contents:

Date: Dec 15th, 2019

TODO LIST
Clean house
Take out garbage
Buy groceries
Feed the fish
Watch TV

Lets say I want to edit this file in place and delete the line “Buy groceries”. There are few ways to do this, I can delete it via the line # or via regular expressions. The line # is 6, so the command would be:

# sed -i ” ‘6d’ /some/path/to/filename.txt

Note the empty set of single quotes after the -i, this is required for newer versions of sed, -i tells it to edit the file in place without creating a backup extension file. The ‘6d’ simply tells it to delete the 6th line of the file. Here is how you do it via regular expressions:

# sed -i ” ‘/^Buy.*/d’ /some/path/to/filename.txt

Again the d tells it to delete, the regular expression is inside the forward slashes, in this case the REGEX is find something that matches beginning of line word Buy, followed by anything.

Using a Cisco ASA5510 as a home router and DHCP server

Tired of Cheap Residential Linksys and TP-Link Routers?

If your like me, you’ve probably noticed that your average off the shelf wifi router from Best Buy costs around $100 and lasts about a year… if your lucky. Tired of that? Me too. So I decided to use hardened Cisco ASA5510. These are really solid units, run forever, and they are cheaply found on eBay. You can even run two of them in active/standby fail-over mode.

The Costs…

So an ASA5510 with the Security Plus license runs about $80 on eBay. This unit has 4 NICs, two of which are licensed to run at 1Gbps, in other words, 1 NIC is your ISP uplink (outside interface), the other NIC feeds your home’s LAN space (inside interface). That still leaves 2 NICs running at 100Mbps which you can operate as additional LAN spaces for security. As a small side note, I have two VOIP ATA’s that I run for phone service, these devices tend to be “vulnerable” to remote hacks, so as a precaution, my Grandstream ATA’s sit on a separate network behind my ASA5510 on NIC3.  This security zone is completely isolated from the rest of my network.

What about Wifi?

Clearly an ASA5510 has no Wifi capability, so for that will we use a Cisco SAP2600 access point. These run around $80-$140 on eBay. Again, they are extremely robust and will last forever, they also have excellent range. I will discuss the configuration of the SAP2600 in a separate article, but its very straight forward as the SAP2600 is out-of-the-box a standalone access point, you simply connect it to your WAN, it grabs an IP via DHCP, then you configure your SSIDs for 2 and 5 GHZ. The access simply forwards DHCP requests through to the ASA.

Initial Configuration of the ASA5510

So we will use Ethernet0/0 as “outside” uplink to ISP and Ethernet0/1 as “inside” LAN. In my case, that Ethernet0/1 goes to a switch where I hard wires some devices as well as my Cisco SAP2600 access point. For this example, I am using Verizon FiOS which does not have a static IP,  so the ISP uplink will be done via DHCP. I was also include an example of how to setup port forward to say a personal web server.

Most ASA’s off eBay will come with ASA software version 8.0, 8.1, or 8.2. For home use, this is fine, dont try to run anything higher. Also, dont bother with the ASDM, its useless. ASA’s were meant to be configured via command line. I am not going to bother showing a full config dump, rather, when you get console access, do a “write erase” followed by “reload”. This will bring up the ASA with the default config. From that default config, below is what you want to configure:

interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute

The above sets our ISP uplink, and assigns the WAN IP via DHCP.

interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

The above sets our inside or LAN interface. In my case, I’m using 192.168.1.X/24 as my LAN space.

access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo
access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any time-exceeded
access-list outside extended permit tcp any interface outside eq www

This is a sample ACL for opening port 80 access to a personal web server I am running on the LAN with IP 192.168.1.250.

global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
nat (voice1) 1 192.168.5.0 255.255.255.0

This is required for functionality. The global statement sets our outbound PAT or proxy address translation. The nat statement tells the ASA that the 192.168.1.X range is what should be NAT’d.

static (inside,outside) interface 192.168.1.250 netmask 255.255.255.255
access-group outside in interface outside

This is related to our web server example. The access-group statement binds the ACL to the outside interface. The static translation effectively connects the port forward, it tells the ASA to “connect” the WAN IP of the outside interface (which we get via DHCP from the ISP) to the private LAN IP of my web server, which is 192.168.1.250.

telnet 0.0.0.0 0.0.0.0 inside
dhcpd dns 1.1.1.1 8.8.8.8
dhcpd ping_timeout 750
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd enable inside

This last price enables telnet access to the ASA from the LAN. This is also where we configure the LAN’s DHCP server. In this case I have allocated the range 192.168.1.100 through .199, and I also set my resolving DNS servers which DHCP process will send through to the clients.

Lastly, secure your ASA by setting the proper passwords:

enable password CLEAR-TXT-PASSWD
passwd CLEAR-TXT-PASSWD

Securing WordPress – Fool Proof Method

Are you tired of your WordPress site being hacked?

I have a simple and effective solution. The biggest reason WordPress gets hacked is because of very insecure file permissions that exist on the backend server, and there are many bugs within wp-admin that can exploited. These permissions and exploits make it easy to upload content, install plugins, brute force attack the login and so on. But if your like me, once your WordPress environment is setup, it doesn’t really change after that. All I do is upload images and write posts. So I write a simple set of lockdown scripts which I execute from the command line.

The lockdown script does a few things:

1. It removes wp-login.php from the base web root
2. It removes the entire wp-admin directory
3. It resets the permissions on wp-content/uploads

The unlock script effectively does the reverse.

So when I need to make changes or write an article, I SSH into my server and run the unlock script. When I am all done, I run the lockdown script. Here is the raw code for those scripts, in PERL:

lockdown-wp.pl

unlock-wp.pl

A few details. My web server runs as the “www” user, so thats why I chown the uploads directory as www. My web root is /usr/local/www/apache24/data and the resources directory is my WordPress base URL, i.e. http://www.essenz.com/resources/ The script runs as root user and stores the temp files in /root

 

FAMP Install Guide – FreeBSD, Apache, Mysql, and PHP Howto

Here is a quick guide of how to properly do a FAMP install on FreeBSD 11.

I will be using the pkg system for this install, but first lets understand a little bit about pkg. For years, FreeBSD used the ports repository – a file tree that contained Makefiles and all the necessary info needed to build any software package from source. In recent years, FreeBSD has put more emphasize on precompiled packages, the pkg utility does just this, it downloads the latest version of the precompiled package and installs it. The syntax is simple:

# pkg install package_name

You can search by using the command:

# pkg search name

For example, “pkg search apache”, will return this list:

apache-ant-1.10.3 Java- and XML-based build tool, conceptually similar to make
apache-forrest-0.9 Tool for rapid development of small sites
apache-mode.el-2.0_1 Emacs major mode for editing Apache configuration files
apache-openoffice-4.1.5_6 Integrated wordprocessor/dbase/spreadsheet/drawing/chart/browser
apache-openoffice-devel-4.2.1833124,4 Integrated wordprocessor/dbase/spreadsheet/drawing/chart/browser (developer version)
apache-poi-3.15 Java API To Access Microsoft Format Files
apache-rat-0.12 Release audit tool
apache-solr-7.1.0 High performance search server built using Lucene Java
apache-solr3-3.6.2 High performance search server built using Lucene Java
apache-spark-2.1.1_1 Fast big data processing engine
apache-xml-security-c-1.7.3_1 Apache XML security libraries - C++ version
apache24-2.4.34 Version 2.4.x of Apache web server
apachetop-0.12.6_5 Apache realtime log stats
p5-Apache-ASP-2.63 Active Server Pages for Apache
p5-Apache-Admin-Config-0.95_1 Perl module to manipulate Apache configuration files
p5-Apache-AuthCookie-3.27 Perl module to provide custom forms for reauthentication

and so on…

When doing a pkg install, you only need the name portion not the full name with version number. So lets begin with our FAMP tutorial.

Step 1 – Install Apache

# pkg install apache24

Once this is completed, you need to add apache24_enable=”YES” to the /etc/rc.conf file. This can be done manually, or with the command:

# sysrc apache24_enable="YES"

Lastly, start apache with either “/usr/local/etc/rc.d/apache24 start” or “service apache24 start”

Step 2 – Install PHP

Which version? You’ll notice that “pkg search php” returns a few different options. For core PHP, your options are:

php56-5.6.36_1
php70-7.0.31
php71-7.1.20
php72-7.2.8

Lets assume you want the latest 7.2 stable, here is the install command, note in addition to PHP core I am going to install a few other popular PHP add-ons. These add-ons were in the output of “pkg search php72”.

# pkg install php72 php72-gd mod_php72 php72-mysqli php72-zlib

NOTE: If you wanted an older version, say 5.6, you would have used the command:

# pkg install php56 php56-gd mod_php56 php56-mysqli php56-zlib

Once PHP is installed, add the following to /usr/local/etc/apache/Includes/php.conf:

<IfModule dir_module>
    DirectoryIndex index.php index.html
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
</IfModule>

Its also important to install the proper php.ini file. The distribution comes with a sample production and development .ini file, choose the one thats appropriate and move it into position as follows:

# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Now lets test everything before we continue:

# echo '<?php phpinfo(); ?>' > /usr/local/www/apache24/data/phpinfo.php
# service apache24 restart

Visit your server via http://IP-ADDRESS/phpinfo.php and you should see something like this:

Step 3 – Install Mysql

Just as we have done before, we do a “pkg search mysql” and find several versions:

mysql55-client-5.5.60
mysql55-server-5.5.60
mysql56-client-5.6.40
mysql56-server-5.6.40
mysql57-client-5.7.22_1
mysql57-server-5.7.22_2
mysql80-client-8.0.11_1
mysql80-server-8.0.11_1

Lets go with version 5.7, so to install we do:

# pkg install mysql57-client mysql57-server

Next, we add the startup syntax to /etc/rc.conf and startup Mysql:

# sysrc mysql_enable="YES"
# service mysql-server start

Now that MySQL us running, we execute the following script:

# mysql_secure_installation

This script allows you to setup the initial root user password for access to mysql via the command line.

/56 Subnet – Delegating IPv6 Reverse Authority

Recently I had a client that wanted a /56 IPv6 WAN range. The idea behind this was he wanted to be able to provision multiple /64’s within his /56 to assign to clients.

Before we go any further, lets clarify what a /56 is, I will use the following sample range:

2600:AB00:1000:2000::/56

This is really the range of IPs from 2600:AB00:1000:2000:0000:0000:0000:0000 through 2600:AB00:1000:20FF:FFFF:FFFF:FFFF:FFFF, in other words, its 256 /64s. Delegating reverse authority of this beast is not so straight forward. Here is how we do it in BIND v9.

The most difficult aspect of this is the /56 delegation has to occur from within the /32 zone file. Huh? So if you were only ever doing DNS yourself (no delegation), you probably never created a zone for the /32, instead you just had all your /64 zone files as is. You can’t declare a /56 in-arpa zone file and delegate, it has to be done from the newly created /32. But dont worry, the /32 will have a catch all that redirects everything back to itself, so all your existing /64’s zones will be fine, no changes needed.

So sticking with the above ranges, assume we are an ISP, our /32 is 2600:AB00::/32, our DNS servers are ns1 and ns2.isp.com. Furthermore, say we have a client with a /64 of 2600:AB00:1234:4000::/64 and we do the DNS for them (no delegation), then lastly, we have client /56 of 2600:AB00:1000:2000::/56 that is going to be delegated to their name servers, ns1 and ns2.client.com.

Assume this is a watered down config snippet, we’re just showing the pertinent info. Here is my master BIND config file showing the zone declarations:


zone "0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa" {
type master;
file "/etc/bind/master/0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa";
};

zone “0.0.f.b.4.0.6.2.ip6.arpa” {
type master;
file “/etc/bind/master/0.0.b.a.0.0.6.2.ip6.arpa”;
};

The first zone is my /64 client, here is that zone file with some sample PTRs:


$ORIGIN 0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa.
$TTL 3600
@ IN SOA ns1.isp.com. hostmaster.isp.com. (
2014022621 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
604800 ) ; Default TTL

IN NS ns1.isp.com.
IN NS ns2.isp.com.

5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR web01.isp.com.
5.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR mail01.isp.com.

The second zone is the /32 zone, and this is where we do the delegation for the /56 and the catch all for everything else, see below:


$ORIGIN 0.0.b.a.0.0.6.2.ip6.arpa.
$TTL 3600
@ IN SOA ns1.isp.com. hostmaster.isp.com. (
2018080107 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
604800 ) ; Default TTL

IN NS ns1.isp.com.
IN NS ns2.isp.com.

0.2.0.0.0.1.0.0.b.a.0.0.6.2.ip6.arpa. IN NS ns1.client.com.
0.2.0.0.0.1.0.0.b.a.0.0.6.2.ip6.arpa. IN NS ns2.client.com.

So looking at this zone file, the first two NS lines is the catch all, basically, anything that doesn’t match below will delegate back to itself. This is why my /64 zone in the master config will work. But we do match the /56 that needs delegation, and its forwarded to those 3rd party NS servers.

Filtering outbound BGP announcements in Cisco IOS

We previously looked at a sample BGP setup for a Cisco 6500 series router. What if you have multiple BGP peers and want to restrict which prefixes or IP blocks you announce to which peers. Simple. We can use the prefix-list command.

What you announce to each BGP peer will effect the traffic that comes in. So sometimes filtering what you announce can help shape your inbound traffic usage, or it can be used to limit one of your peers to very little traffic so you have a backdoor option during a high load event or DDoS.
Lets look at a sample BGP config:

router bgp 17500
bgp log-neighbor-changes
neighbor 200.10.20.1 remote-as 1000
neighbor 200.10.20.1 ebgp-multihop 5
neighbor 200.10.20.1 update-source GigabitEthernet5/8
neighbor 100.5.10.1 remote-as 2000
neighbor 100.5.10.1 ebgp-multihop 5
neighbor 100.5.10.1 update-source GigabitEthernet4/8
!
address-family ipv4
neighbor 200.10.20.1 activate
neighbor 200.10.20.1 next-hop-self
neighbor 200.10.20.1 send-community
neighbor 200.10.20.1 soft-reconfiguration inbound
neighbor 200.10.20.1 prefix-list PeerA-out out
neighbor 200.10.20.1 filter-list 1 in
neighbor 200.10.20.1 filter-list 15 out
neighbor 100.5.10.1 activate
neighbor 100.5.10.1 next-hop-self
neighbor 100.5.10.1 send-community
neighbor 100.5.10.1 soft-reconfiguration inbound
neighbor 100.5.10.1 prefix-list PeerB-out out
neighbor 100.5.10.1 filter-list 1 in
neighbor 100.5.10.1 filter-list 15 out

My ASN is 17500 and I have two BGP uplinks, one to AS 1000 (we’ll call this Peer A) and one to AS 2000 (we’ll call this Peer B). I am announcing the following prefixes:
190.45.60.0/24
209.88.40.0/24
20.10.180.0/24

As you can see, for each peer, I have included a statement with

    prefix-list “LIST-NAME” out

This statement restricts what my ASN will broadcast OUT to my peers. Lets say I want to BGP announce all three prefixes to Peer A, but I only want to announce 190.45.60.0/24 to Peer B. This is what those respective prefix-list’s will look like:

ip prefix-list PeerA-out seq 1 permit 190.45.60.0/24
ip prefix-list PeerA-out seq 2 permit 209.88.40.0/24
ip prefix-list PeerA-out seq 3 permit 20.10.180.0/22
ip prefix-list PeerA-out seq 100 deny 0.0.0.0/0
ip prefix-list PeerB-out seq 1 permit 190.45.60.0/24
ip prefix-list PeerB-out seq 100 deny 0.0.0.0/0

Thats all there is to it.

TCP/IP Networking in Linux without a GUI

There are a few major Linux distributions these days, Centos/RHES, Ubuntu, and Debian. They all differ slightly in how they natively handle IP configuration.
For starters, lets first understand the universal way to IP config ANY Linux OS (this also applies to BSD Unix and Solaris). This is done with the ifconfig and route command. ifconfig places an IP address on an interface and route places the default gateway in the routing table. When using ifconfig you just need to know the interface name, if you dont know the interface name, simple type the command:
ifconfig -a
This will display all the connected interfaces, so if you have two NICs on your server it may list an eth0 and eth1. For our example, lets assume we are connecting a Cat5 cable to eth0 and we want to configure the following network setup:
IP Address: 200.50.100.5
Netmask: 255.255.255.0
Default Gateway: 200.50.100.1
The IP configuration is handled by the following command:
ifconfig eth0 200.50.100.5 netmask 255.255.255.0 up
To add the default gateway, we use the following command:
route add default gw 200.50.100.1
Obviously, if you reboot the system these settings will be lost. So now lets look at how to manually config the IP settings for bootup. Both Debian and Ubuntu use the same setup, it involves editing the interfaces file. CentOS/RHES is a bit different, we’ll cover that one last.
For Ubuntu/Debian, edit the file /etc/network/interfaces and add the following lines:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet static
address 200.50.100.5
netmask 255.255.255.0
network 200.50.100.0
broadcast 200.50.100.255
gateway 200.50.100.1
The broadcast and network entries are technically not needed, but you might as well add them. After you save this file, use the ifup command to activate and bring up the eth0 interface:
ifup eth0
Finally, make sure you edit /etc/resolv.conf and add your DNS resolvers, the syntax is as follows:
nameserver 8.8.8.8
nameserver 4.4.4.2
Lets take a look at Centos/RHES and how they configure IP networking. Instead of using a singular config file, each interface has its own file located in /etc/sysconfig/network-scripts and the file name format is ifcfg-INT where INT is the name of your interface. In our example, our interface is eth0, so the file we will be editing is /etc/sysconfig/network-scripts/ifcfg-eth0 and the contents of that file is as below:

DEVICE=eth0
BOOTPROTO=static
BROADCAST=200.5.100.255
HWADDR=00:13:72:65:B0:AD
IPADDR=200.50.100.5
NETMASK=255.255.255.0
NETWORK=200.50.100.0
ONBOOT=yes
Again, some of the above lines are not required, HWADDR, NETWORK, and BROADCAST are not required but definitely add them if you know them. The HWADDR is the interfaces MAC Address, which you can find out by typing “ifconfig eth0”. The default gateway setting in CentOS/RHES is handled in a separate file. Edit the file /etc/sysconfig/network and add the following lines:
NETWORKING=yes
HOSTNAME=foobar.domain.com
GATEWAY=200.50.100.1
Once the files are edited, you again run the command “ifup eth0” to bring up the interface. The default gateway and hostname settings will be active on reboot, otherwise you have to restart networking for those changes to take effect, this is done by running:

/etc/init.d/network restart

Configuring SSL VPN on Cisco ASA

Starting a few years ago, Cisco began to phase out their support of the long standing VPN Client software which used IPsec. Basically, they didn’t make a 64-bit version to run on Windows 7 and 8, so unless you use XP, its very hard to use the old Cisco VPN client software. The replacement is AnyConnect, which can be launched via the web. AnyConnect does not use IPsec for the vpn tunnel, it uses SSL. The downside is it requires additional licensing, most ASA’s only come with 1 SSLVPN user license, and 10 IPSec.
Here is how you configure a typical ASA (running IOS 8.3) to use webvpn and AnyConnect.
Assumptions:
1. The outside or public WAN IP of the ASA is 200.50.75.1
2. The inside or local access range is 192.168.1.0/24
3. The VPN IP pool that we will create is 10.100.1.0/24
Here is the complete config with some comments.
Create and apply a nonat access list:
ASA(config)# access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.100.1.0 255.255.255.0
ASA(config)# nat (inside) 0 access-list nonat

Define a split tunnel access list:
ASA(config)# access-list splitvpn standard permit 192.168.1.0 255.255.255.0

Define the Group Policy for the WebVPN:
ASA(config)# group-policy SSLVPN_POLICY internal
ASA(config)# group-policy SSLVPN_POLICY attributes
ASA(config-group-policy)# vpn-tunnel-protocol svc webvpn
ASA(config-group-policy)# webvpn
ASA(config-group-webvpn)# split-tunnel-policy tunnelspecified
ASA(config-group-webvpn)# split-tunnel-network-list value splitvpn
ASA(config-group-webvpn)# split-dns value foobar.com
ASA(config-group-webvpn)# dns-server value X.X.X.X
In the above case, foobar.com would be your local DNS search suffix. The X.X.X.X would be the IP of your local DNS server if you used one, if not you can leave it out or insert a public DNS server IP like 8.8.8.8.
Define a DHCP pool for the clients to use:
ASA(config)# ip local pool vpnpool 10.100.1.1-10.100.1.254 mask 255.255.255.0
Define a local user to use for the VPN:
ASA(config)# username johndoe password ABC123 privilege 0
ASA(config)# username johndoe attributes
ASA(config-username)# vpn-group-policy SSLVPN_POLICY
Enable WebVPN:
ASA(config)# webvpn
ASA(config-webvpn)# enable outside
ASA(config-webvpn)# svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
ASA(config-webvpn)# svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
ASA(config-webvpn)# svc enable
The above location/filename of the AnyConnect software may vary, to verify just type the “dir” command from the main prompt to see a file listing showing the exact filename versions.
Define the tunnel group:
ASA(config)# Tunnel-group SSLVPN_TUNNEL type remote-access
ASA(config)# Tunnel-group SSLVPN_TUNNEL general-attributes
ASA(config-tunnel-general)# default-group-policy SSLVPN_POLICY
ASA(config-tunnel-general)# address-pool vpnpool

Link the tunnel group to WebVPN:
ASA(config)# webvpn
ASA(config-webvpn)# tunnel-group-list enable
ASA(config-webvpn)# exit
ASA(config)# tunnel-group SSLVPN_TUNNEL webvpn-attributes
ASA(config-tunnel-webvpn)# group-alias AnyConnect enable

Basic Cisco Router Config with BGP Uplink

Do you have your own /24 IP subnet and want to setup a BGP router? This article will gave a basic overview of the key components required. The syntax used is for an IOS 12.2 Cisco 6500 series, but is applicable to a 7600 series, a 7200 series, or even a 1800 or 2800 series router.
Assumptions:
1. The /24 subnet we are announcing is 200.50.75.0/24.
2. The IPv4 WAN Subnet from our upstream BGP provider is 128.64.12.128/30.
3. Upstream BGP peer’s AS is 1000, and our AS is 17500
So to begin, we assume our BGP uplink is delivered to us via a basic Cat5 handoff. This handoff has a static WAN subnet of 128.64.12.128/30 – our side of the WAN is 128.64.12.130 and the provider’s side of the WAN is 128.64.12.129. That also means our default GW is 128.64.12.129.
We connect this Cat5 uplink to FastEthernet7/1 on our 6500. Now we need to go into the 6500 series router, config the WAN link, then do all the BGP configs so we can start using our /24 subnet.
We login with enable access and go to configuration mode:
Cisco6500# config -t
We know setup the WAN link:
Cisco6500(config)# interface FastEthernet7/1
Cisco6500(config)# desc BGP Uplink
Cisco6500(config)# ip address 128.64.12.130 255.255.255.252
Cisco6500(config)# no shutdown
We set the default route:
Cisco6500(config)# ip route 0.0.0.0 0.0.0.0 128.64.12.129 250
At this point our router is live and we should be able to ping out to the internet. In order to use our own /24 and AS we need to setup a BGP session with our upstream, let get started:

Cisco6500(config)# router bgp 17500
The above effectively “creates” the BGP service on our end acting as AS 17500, we now need to config it. We are inside the router statement, so every command from this point on effects only the BGP config. We have to exit out to return to the main config.
Cisco6500(config-router)# bgp log-neighbor-changes
Cisco6500(config-router)# neighbor 128.64.12.129 remote-as 1000
Cisco6500(config-router)# neighbor 128.64.12.129 ebgp-multihop 5
Cisco6500(config-router)# neighbor 128.64.12.129 password ABC123

Quick recap of the above. We are telling our BGP service about our first neighbor or “peer”. The peer address 128.64.12.129 is the WAN side IP of our upstream, we specify that our peers AS is 1000, we specify a BGP session password (this is optional, and must be configured to match on the other end), the ebgp-multihop 5 entry is also potentially optional, but I like to add it just in case there are any hops between myself and my peer.
Now we configure the IPv4 portion of the BGP config. In order to do that, we go one more level down in the config by entering the following:

Cisco6500(config-router)# address-family ipv4
This puts you into a sub-config menu, and your prompy will change. From here we can add the IP details of our BGP session:
Cisco6500(config-router-af)# neighbor 128.64.12.129 activate
Cisco6500(config-router-af)# neighbor 128.64.12.129 next-hop-self
Cisco6500(config-router-af)# neighbor 128.64.12.129 send-community
Cisco6500(config-router-af)# neighbor 128.64.12.129 soft-reconfiguration inbound
Cisco6500(config-router-af)# neighbor 128.64.12.129 filter-list 1 in
Cisco6500(config-router-af)# neighbor 128.64.12.129 filter-list 15 out
The first line activates IPv4 on the session. The next three lines are pretty basic and normal. The soft-reconfiguration line is required if you want to be able to do soft resets of the BGP session to grab updates from the other side or vice versa. The last two lines are tricky, but basically, the control what we will allow in and what we allow out from our router. I will describe these filter lists below after we are down with the main BGP config. The following lines finish out out IPv4 portion of the config:

Cisco6500(config-router-af)# no auto-summary
Cisco6500(config-router-af)# no synchronization
Cisco6500(config-router-af)# network 200.50.75.0 mask 255.255.255.0
The last line here is our IPv4 announcement. Now we exit out of the address-family sub-config, and the bgp router sub-config:
Cisco6500(config-router-af)# exit
Cisco6500(config-router)# exit
Cisco6500(config)#
This returns us to the menu config menu. At this point our BGP session is 95% percent complete, just a few loose ends to finish up. Mainly, we have to create those in and out filter lists rules for the BGP prefixes we will allow in and out. We add the following:
Cisco6500(config)# ip as-path access-list 1 permit .*
Cisco6500(config)# ip as-path access-list 15 permit ^$
Cisco6500(config)# ip as-path access-list 15 permit ^(17500_)+$
Access list 1 basically permits everything in, which is want we want. Access list 15 permits our AS 17500 to go out. Last but not least, we need to locally null route our IP announcement:

Cisco6500(config)# ip route 200.50.75.0 255.255.255.0 Null0 250
Cisco6500(config)# exit
Cisco6500(config)# write mem
At this point our BGP router is live, you can verify with the following command:
Cisco6500# sh ip bgp summary
BGP router identifier 128.64.12.130, local AS number 17500
BGP table version is 27807253, main routing table version 27807253
187089 network entries using 18895989 bytes of memory
203251 path entries using 9756048 bytes of memory
48641 BGP path attribute entries using 2724008 bytes of memory
39260 BGP AS-PATH entries using 1076272 bytes of memory
58 BGP community entries using 1392 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
61132 BGP filter-list cache entries using 733584 bytes of memory
BGP using 33187293 total bytes of memory
8 received paths for inbound soft reconfiguration
BGP activity 4186733/3980758 prefixes, 6186177/5962957 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
128.64.12.129 4 1000 10948679 267030 27806888 0 0 7w2d 174293
With your BGP router live and running, you can start using your IP space on any interface by simply assign a subnet of your choosing, for example:
Cisco6500(config)# interface FastEthernet7/2
Cisco6500(config)# desc Mail Server
Cisco6500(config)# ip address 200.50.75.1 255.255.255.248
Cisco6500(config)# no shutdown
This creates a 200.50.75.0/29 subnet on interface 7/2 with 200.50.75.1 acting as the default gateway. Simply connect a server to that port and it will be live with a usable IP in the .2 through .6 (.7 is reserved for the broadcast).