ASA Any Connect Split Tunneling Or Why Are You Doing NAT from the Outside?

It has been a while since I have entered anything on my blog. But a few days ago I came across a very interesting situation that is not common but it is counter-intuitive. It has to do with the way the Cisco ASA treats NAT in a very particular situation.

An ASA was configured to have split tunneling disabled for clients using the Any Connect Cisco client. The ASA we are using has several IPSEC tunnels to remote sites. As soon as the clients connected they did not have access to either the Internet or the remote sites. They can access the Internal LAN though.

The reason of course as you may have guessed it has to do with how to configure NAT.

So here we go.

Continue reading “ASA Any Connect Split Tunneling Or Why Are You Doing NAT from the Outside?”

Hostapd plus IPV6 A Follow Up

Well it has been about a week since I was able to use a Ubuntu 13.04 box and make it a hotspot for wireless. It works great.

So a few remarks.

When hostapd is started it clobbers the IPV6 setup. This is a Kernel bug and an old one see:,

of course the developers have not fixed it and sarcastically pointed out that the interface needs to go do down in order for hostpad to enable the features needed for an access point.

But hello it does not clobber IPV4 so I am sorry they are too lazy to fix it. There is a workaround as always, after you start hostapd just add the IPV6 address to your wireless interface. This can be done automatically at rc.local when you boot the machine.

You can run the router virtually. I use VirtualBox of course you need a machine to run VirtualBox with enough resources to run VMs.

But the router does not need that much overhead, if you do not install X then you can get away with 256 MB of memory for the VM.

The you start the VM headless:

“/usr/bin/VBoxManage startvm “VMName” –type headless”.

And remember to allow the USB wireless to be recognized by the host and VM. Then you need to “ifconfig wlan0 down” on the host.

So the setup is fairly general that it you want to use it so the Ubuntu box also acts as your Internet router it can be done. In this case you will need three interfaces, ETH0 to the web, ETH1 to your LAN and WLAN0 for wireless.

The setup should be straight forward but you now need a good IPTABLES configuration since you need to forward packets between the three interfaces.


Hostapd + DHCPV6 + IPV6 + Ubuntu 13.04

Hello again.

In a previous post I did show how to use an Ad-Hoc network using IPTables masquerading to allow Wi-Fi clients to connect.

The main reason was that I already have a dual stack with FC running that connects me to my cable provider.

On the other hand I use a cheap wireless router when I need Wi-Fi connectivity to my smart-phone or my laptop but my Wi-Fi router does not support IPV6 so the setup worked as a charm.

The setup has a drawback. On my wireless router I used MAC filtering, while a determine hacker could in principle get in anyway, in most cases MAC filtering provides sufficient security, only those clients with MAC addresses you allow can get an address and connect.

In addition the Ad-Hoc network was unreliable so I decided to make the FC server a hotspot and use DNSMASQ for DHCPV6. It works great.

So here we go.

Continue reading “Hostapd + DHCPV6 + IPV6 + Ubuntu 13.04”

IPV6 Ad-Hoc Networks plus Masquerading

Now that I have a dual stack working with IPV6 I decided to test wireless and IPV6.

That posed a problem since the wireless router I use does not support IPV6 and it cannot be upgraded but that would not have helped me since I receive a /64 and you cannot create several networks out of it, let’s say /65, since stateless configuration will break and you need separate networks to route properly.

Continue reading “IPV6 Ad-Hoc Networks plus Masquerading”