Michael Moore is on screen again. This time not with a look about the American Health System, but Capitalism, which is the title for the new flick. You can catch the trailer here, looks interesting all the same.

Other interesting movie’s I’ve watched recently include:

The End of the Line
Home
Religulous

Enjoy peeps!

As promised, here is the summarised walkthrough for getting ASA AnyConnect SSL VPN’s setup on their ASA with a quick copy/paste. It’s again, a convenient note to myself and saves me having to trawl around finding Cisco’s documentation. That being said, the documentation for this particular config is exceptionally good and this is shamelessly ripped from this Configuration Guide simply using the important assumptions from the last RA VPN post I created.

Extra Assumptions from the last post:

• You’re using the latest (as of writing) AnyConnect SVC images 2.3.0254
• Your edge device is called firewall and your internet domain name is mydomain.com – seriously though, your certificate fqdn which you use in the config here should resolve to the firewalls interface IP that you’re expecting to connect to or you’ll have to punch through all the browser warnings of the certificate being invalid.

crypto key generate rsa label sslvpnkeypair
crypto ca trustpoint localtrust
enrollment self
fqdn firewall.mydomain.com
subject-name CN=firewall.mydomain.com
keypair sslvpnkeypair
crypto ca enroll localtrust noconfirm
ssl trust-point localtrust outside
webvpn
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc image disk0:/anyconnect-linux-2.3.0254-k9.pkg 2
enable outside
svc enable
ip local pool SSLClientPool 192.168.0.9-192.168.0.14 mask 255.255.255.0
group-policy SSLCLientPolicy internal
group-policy SSLCLientPolicy attributes
dns-server value 192.168.0.3
vpn-tunnel-protocol svc
default-domain value internaldomain.local
address-pools value SSLClientPool
sysopt connection permit-vpn
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLCLientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
webvpn
tunnel-group-list enable
access-list nonat_inside extended permit ip any 192.168.0.8 255.255.255.248
username localvpnuser password 12345678 privilege 0
username localvpnuser attributes
service-type remote-access

Hope this helps!

As a convenient note to myself and to help anyone else out who’d like to get simple Remote Access VPN’s setup on their ASA using the Cisco VPN Client 5.x, here’s the very basic configuration using the CLI as most walkthrough’s are ASDM based on the Cisco website.

This is set out to be dumped straight onto an ASA which has little configuration other than basic IP addressing. To add this to a running unit, you’ll have to read here and understand what you’ll need to change to dump this config straight on.

Assumptions:

• You’re using 8.2.1 of ASA OS.
• VPN user authentication will be completed with the local user database.
• You’ll only be allowed to access the ASA’s inside network from the connecting VPN client (alternative offered later on the page)
• Your internal addressing is 192.168.0.0/24 and DNS and DHCP configurations used don’t conflict – change as appropriate.
• The access-list nonat_inside and nat statements are there as they are required from an empty ASA configuration but you’ll very likely have these setup already so simply add the ace from the access-list statement below to your existing nat 0 access-list and don’t add the nat (inside) statement to your config at all.

username localvpnuser password 12345678 privilege 0
access-list nonat_inside extended permit ip any 192.168.0.8 255.255.255.248
nat (inside) 0 access-list nonat_inside
crypto isakmp enable outside
ip local pool RAVPNDHCPPOOL 192.168.0.9-192.168.0.14 mask 255.255.255.0
group-policy RAVPN_ADMIN internal
group-policy RAVPN_ADMIN attributes
dns-server value 192.168.0.2 192.168.0.3
vpn-tunnel-protocol IPSec
default-domain value internaldomain.local
username localvpnuser attributes
Vpn-group-policy RAVPN_ADMIN
tunnel-group RAVPN_ADMIN type remote-access
tunnel-group RAVPN_ADMIN general-attributes
default-group-policy RAVPN_ADMIN
address-pool RAVPNDHCPPOOL
tunnel-group RAVPN_ADMIN ipsec-attributes
pre-shared-key C0mpl1c@t3d
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map sys_def_crypto 65535 set pfs group2
crypto dynamic-map sys_def_crypto 65535 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic sys_def_crypto
crypto map outside_map interface outside

When creating the entry in the installed Cisco VPN Client, you’ll need three things, the IP address of the ASA Device you’re connecting to, the group name (here it’s RAVPN_ADMIN) and the password for that group, which here, is specified in the sub configuration of tunnel-group RAVPN_ADMIN ipsec-attributes.

This done, you’ll be able to click connect, enter the username and password of the local user you created in the first line of the config and you’ll be connected to your inside network.

If you consider being connected to the Internet ‘ok’ for your particular situation, you can add split tunnelling to your configuration by adding these five lines

access-list split_tunnel_list remark The corporate network behind the ASA
access-list split_tunnel_list standard permit 192.168.0.0 255.255.255.0
group-policy RAVPN_ADMIN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list

I hope this helps y’all out. I’ll be posting similar configurations using the same assumptions for the Clientless SSL VPN feature and the Cisco SSL VPN Client (AnyConnect VPN Client) shortly.

I’ve been spending a while trying to get my noddle around VRF’s in prep for my new job.
I’ve been having real trouble getting decent documentation on it as for the most part VRF is synonymous with MPLS VPN technology.
This hasn’t helped me at all as I’m on the learning curve and don’t get MPLS properly yet either, so trying to absorb the concepts on MPLS too was all a little too much. But, to my delight, I’ve found a few snippets which nicely summarise everything I’ve needed to know quite quickly and here’s everything that helped me, broken down as follows, basics first.

VRF, firstly this acronym means one of two things which are kinda doing the same thing, see wikipedia :

1. Virtual Routing and Forwarding

Virtual Routing and Forwarding actually implemented as VRF Lite is likely to be used in a campus. Given my greater comfort with Switching technologies , the following statement made me feel nice and warm as I finally understood WHY you’d use VRF’s .. “VRFs employ essentially the same concept as VLANs and trunking, but at layer three” AHHHHH!!!
Not having had to deal with traffic segregation on a network segment with routers other than Firewalling at the edge, this really really helped my conceptual understanding. I totally get VLANs, and since it’s put like that, I understand why VRFs are now interesting!

2. VPN Routing and Forwarding

This is what I previously knew about VRFs, in as much as I knew the name and knew it was ‘out there’ and used by my ISP to get data to/from other sites for us and it worked fine and dandy. This link to Cisco is part of their MPLS VPN technology document and although I don’t get it properly yet, shows the instance where VRF is used and how interlinked it is with MPLS VPNs.

I was actually asked what VRF stood for in my interview for the job I start on Monday. I answered with VPN routing and forwarding and was told I was wrong and was fed back with the the other answer Virtual Routing and Forwarding. I’m subsequently glad I’ve now discovered I was actually right, AND they were right, but the answer wasn’t the one they were looking for as the technology they use is VRF Lite, rather than VRF which is described in the above linked Cisco technote and is actually likely to be routing private address spaces across the Internet for customers such as my old employer.

Thanks to Stretch on Packetlife.net for the Eureka moment!

Hey all! You been enjoying the summer?
I certainly have, and with my new job starting on Monday I think I’ve wholly deserved it. I’ve enjoyed a nice couple of weeks off, although being at home has meant I’ve been loaded with a certain amount of anticipation and a tendancy to get the tech tools out to brush up on the skills before the new job.
God knows why I did that. if I’d have been have been abroad I wouldn’t have seen a screen for weeks so I feel a bit of an arse for doing it, just that it’s in my blood to get my shit together and make sure I’m feeling mildly confident at least on my first day.
Still, frustrations aside, new challenges await and I’m looking forward to getting paid as a debt free human being. It’s been an extremely long time since I’ve been able to say ‘I don’t owe anyone any money’ (9 years) but I can now say that with glee and I don’t intend on changing that in the near future! I must say I’m missing the old crew though. I hated leaving my old job, so many really genuinely nice people there and I really enjoyed my last day and was taken back by all the lovely messages people wrote for me, so if anyone’s reading.. Miss you!!
Still, looking forwards and upwards!

Here’s to Life v2 folks! Cheers!

“Imagination is more important than knowledge. For knowledge is limited to all we now know and understand, while imagination embraces the entire world, and all there ever will be to know and understand.”

Yann Arthus-Bertrand is releasing a free to download movie on June 5th (Friday). I will be making a point of downloading it the moment it’s released and am REALLY looking forward to seeing it.

Yann is a passionate talker who’s very much interested in the caring and conservation of the Planet we all live on.

“We don’t want to believe what we know is true” is one of the quotes from a recent TED talk about his photojournalism that really struck me. It’s very sobering to hear that statement. I’m hearing more spokespeople for the environment regardless of their chosen profession making more stark, real and simple warnings about the ignorance of the efforts of the conservation organisations and climate change professionals.

I’ll post a review of the movie Saturday morning after I’ve watched “Home” and I hope it’s going to be a positive write up. I’m sure the movie will be beautiful if not somewhat depressing. Seems to be part of the bag these days though, noone’s taking any serious bloody notice, people are really struggling to find anything positive to spin about the events and predictions of the future climate.

I’m reading Lovelock’s new book “The vanishing face of Gaia – A final Warning” at the moment and will post my thoughts on that too after the weekend.

Peace and Out.

UPDATE  – I forgot to post the link to Yann’s site.. Go here

I’ve booked myself and my housemate up on a 3 day Survival Course in late July with Trueways Survival School. I had originally intended to do the 5 dayer in Cumbria, but sense came back to me and I realised that 3 days and in the New Forest would be a good enough taster for trying out the Schools teachings and it’s a 45 minute drive rather than the half a days worth of driving it would have taken me to get to the Cumbria course!

Still, really looking forward to learning some crafts and stuff.. not so sure about eating ze worm and that, but it’s all about Survival innit!

Being as it’s Sunday and the traditional day for wandering into your chosen place of worship, I can’t help but place some well worded quotes here which I found from a thread contributor to an intriguing blog yesterday.

I don’t intend to offend anyone in particular – though these quotes likely will depending on your chosen persuasion – If you do choose to take to heart any of these comments I suggest you read the blog linked above and see the VERY long discussion it’s created, naturally, about religion. My point of view falls fairly and squarely in the Agnostic and/or Atheist camp, probably Atheist as the following quote sums it up nicely for me :-
“I am an atheist, out and out. It took me a long time to say it. I’ve been an atheist for years and years, but somehow I felt it was intellectually unrespectable to say that one is an atheist, because it assumed knowledge that one didn’t have. Somehow it was better to say one was a humanist or agnostic. I don’t have the evidence to prove that God doesn’t exist, but I so strongly suspect that he doesn’t that I don’t want to waste my time.”
-Isaac Asimov

I seriously doubt I will be the first person in the modern world to find tangiable evidence that I can take to some other person and say “look, here’s God”. So I’m with Isaac on this one.
Below are the rest of the quotes I thought were well written.

“I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours.”
-Stephen Roberts

“Is God willing to prevent evil, but not able? Then he is not omnipotent. Is he able, but not willing? Then he is malevolent. Is he both able and willing? Then whence cometh evil? Is he neither able nor willing? Then why call him God?”
-Epicurus

“Religion is regarded by the common people as true, by the wise as false, and by the rulers as useful.”
-Seneca the Younger 4 b.c.- 65 a.d.

“Don’t pray in my school, and I won’t think in your church.”

“We must respect the other fellow’s religion, but only in the sense and to the extent that we respect his theory that his wife is beautiful and his children smart.”
-H. L. Mencken

“The pioneers and missionaries of religion have been the real cause of more trouble and war than all other classes of mankind.”
-Edgar Allan Poe

“I do not believe in the creed professed by the Jewish church, by the Roman church, by the Greek church, by the Turkish church, by the Protestant church, nor by any church that I know of….Each of those churches accuse the other of unbelief; and of my own part, I disbelieve them all.”
-Thomas Paine

“The idea of God was not a lie but a device of the unconscious which needed to be decoded by psychology. A personal god was nothing more than an exalted father-figure: desire for such a deity sprang from infantile yearnings for a powerful, protective father, for justice and fairness and for life to go on forever. God is simply a projection of these desires, feared and worshipped by human beings out of an abiding sense of helplessness. Religion belonged to the infancy of the human race; it had been a necessary stage in the transition from childhood to maturity. It had promoted ethical values which were essential to society. Now that humanity had come of age, however, it should be left behind.”
-Sigmund Freud

Arteriosclerosis

Here’s to those of you nailing 10’s or even 100’s of pounds/dollars on Sports Nutrition out there.. Have a read of this.

• 3g’s or more per kilo of body weight a day of protein is really quite BAD for you (Arteriosclerosis & Kidney Problems).
• Generous and continuous Protein Supplementation leaves your body assuming that that much protein is always available in the diet, subsequently when you stop supplementation, muscle loss ocurrs due to the body not accounting for the fact it has to work again to extract protein efficently from food in it’s naturally ocurring amounts. (Nice way of you continuing to buy vendors products for fear of muscle loss eh!?)
• It seems accepted that 1.6/1.7g’s per kilo of body weight a day is all enthusiastic gym goers and general atheletes need to ensure you are fuelling hypertrophy to it’s fullest extent.
• When increasing calorific intake, the proportion of those Calories made up of Protein increases in a linear fashion. So anyone ‘eating well’ using  a wholefood/non refined food lifestyle can see that if you add up the protein intake from a 4000kcal a day intake will more than easily fulfil the daily requirements of Protein.
• Protein Supplements seem useful in THREE very specific siuations.
  1. Timing, ensuring you get the Protein to the muscle in a timely manner, before and/or immediately after exercise.
  2. Convenenience, Not many people carry round snacks containing a rapidly absorbed protein compound they can get in them within 30 mins for finishing exercise.
  3. Elite Atheletes being trained by people very much more experienced and clever than me. I’m talking Pro Atheletes here, the sort of people that are putting in the amount of training hours a day equivalent to the hours I pilot my desk a day (lucky bastards).
• As a result of knowing you’re receiving the correct amount of Protein from a good lifestyle, THE most IMPORTANT thing in attempting to support Hypertrophy is total Calorific intake. Getting in around 20% more than you estimate you need to support your weight on a maintenance basis is where you should start and you should expect to see gains of  0.5 – 1kg of lean weight a month. Much more or less than this and you should adjust your intake accordingly.

I hope this condensed snippet of information is useful to some of you washed up meatheads out there!