There are limitations, when you deploy Office 365 without ADFS/Hybrid. In this article I would like to write about SMTP addresses.
This attribute is synchronized to Office 365
You cannot add SMTP addresses on the cloud side, so you have to use attribute editor or Powershell On-Premise instead
To use Powershell you need to import module for Server manager and one of the methods to add / remove or replace SMTP addresses is to use Set-ADUser cmdlet, where you add string values to multivalue property “ProxyAddresses”
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 8.3.3 ASA task definition
ASA as transparent firewall
Goal
Configure ASA as transparent firewall.
Generate a test message thru HTTP, FTP and ICMP.
Apply access list and recheck configuration.
Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
Topology
Configuration
PC1
ifconfig int3 10.0.0.2 netmask 255.255.255.0 ;set IP address
route add default gw 10.0.0.1 dev int3 ;set default gw
SERVER
R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model ;define authentication policy
SERVER(config)#aaa authentication login telnet local ;authenticate locally
SERVER(config)#username cisco password cisco ;authenticate by this username and password
SERVER(config)#enable password cisco ;set enable password for privileged mode
SERVER(config)#ip http server ;enable HTTP server
SERVER(config)#ftp-server enable ;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/ ;set top directory for FTP server
SERVER(config)#line vty 0 4 ;enable tenlnet connections
ASA
1) Firewall settings
ciscoasa(config)# hostname ASA1
ASA1(config)# firewall transparent ;set up firewall in transparent mode
ASA1(config)# interface INT1
ASA1(config-if)# nameif outside
ASA1(config-if)# no shutdown
ASA1(config)# interface INT2
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
ASA1(config)# ip address 10.0.0.253 255.255.255.0 ;set management IP address for Firewall device
ASA1(config)# debug icmp trace ;turn on debug for icmp traffic thru firewall
Check connection as you can see in Function test before applying access lists.
2)Apply access lists
ASA1(config)# access-list FWRULEIN permit icmp any any
ASA1(config)# access-list FWRULEIN permit udp any any eq 20
ASA1(config)# access-list FWRULEIN permit udp any any eq 21
ASA1(config)# access-list FWRULEIN permit tcp any any eq www
ASA1(config)# access-list FWRULEIN permit tcp any any eq ftp
ASA1(config)# access-group FWRULEIN in interface outside
Function test
Pictures are taken from text web browser lynx. You can get similar results from graphical web browser from Linux and Windows.
F1) Before access lists
outside -> inside
ASA1(config)# debug icmp trace ;turn on debugging for icmp
PC1#ping 10.0.0.253 ;ping firewall MGMT address
PC1#ping 10.0.0.254 ;ping server
PC1#lynx http://10.0.0.254 ;iniciate http connection with server - this traffic is permitted by default.
PC1#lynx ftp://10.0.0.254 ;iniciate ftp connection with server
Pictures shows result of these commands.
inside -> outside
SERVER#ping 10.0.0.100 ;ping PC1 from server
Picture shows result of this command.
F2) After access lists application
outside -> inside
PC1#ping 10.0.0.253 ;ping firewall MGMT address
PC1#ping 10.0.0.254 ;ping server
PC1#lynx http://10.0.0.254 ;iniciate http connection with server
PC1#lynx ftp://10.0.0.254 ;iniciate ftp connection with server
Pictures shows result of these commands.
inside -> outside
SERVER#ping 10.0.0.100 ;ping PC1 from server
Picture shows result of this command.
Optional tasks
Try to configure different types of access lists denying and permitting different types of traffic.
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 6.7.1 ASA task definition
Easy VPN server on ASA, SW client
Goal
Configure WebVPN server on ASA.
Inicialize tunnel.
Generate a test connection thru HTTP.
Use Anyconnect client in advanced task.
Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 6.5.9b ASA task definition
Easy VPN server on ASA, SW client
Goal
Configure Easy VPN server on ASA.
Inicialize tunnel.
Generate a test connection thru HTTP, FTP and ICMP.
Use text VPN client or Cisco VPN client if you have GUI available on your system.
Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT3
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model ;define authentication policy
SERVER(config)#aaa authentication login telnet local ;authenticate locally
SERVER(config)#username cisco password cisco ;authenticate by this username and password
SERVER(config)#enable password cisco ;set enable password for privileged mode
SERVER(config)#ip http server ;enable HTTP server
SERVER(config)#ftp-server enable ;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/ ;set top directory for FTP server
SERVER(config)#line vty 0 4 ;enable tenlnet connections
ASA
1) Interface settings, Access lists
ciscoasa(config)# hostname ASA-GATE
ASA-GATE(config)# domain-name test
ASA-GATE(config)# interface INT1
ASA-GATE(config-if)# switchport mode access
ASA-GATE(config-if)# switchport access vlan 10
ASA-GATE(config-if)# no shutdown
ASA-GATE(config-if)# interface vlan 10
ASA-GATE(config-if)# ip address 192.168.0.1 255.255.255.0
ASA-GATE(config-if)# nameif outside
ASA-GATE(config-if)# no shutdown
ASA-GATE(config)# interface INT2
ASA-GATE(config-if)# switchport mode access
ASA-GATE(config-if)# switchport access vlan 20
ASA-GATE(config-if)# no shutdown
ASA-GATE(config-if)# interface vlan 20
ASA-GATE(config-if)# ip address 10.0.0.1 255.255.255.0
ASA-GATE(config-if)# nameif inside
ASA-GATE(config-if)# no shutdown
ASA-GATE(config)# access-list OUTSIDEIN permit ip any host 192.168.0.1
ASA-GATE(config)# access-list CRYPTED permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0 ;define which traffic will net be translated
ASA-GATE(config)# nat (inside) 0 access-list CRYPTED ;do not translate traffic from access list CRYPTED
ASA-GATE(config)# nat (inside) 1 0 0
ASA-GATE(config)# global (outside) 1 interface
ASA-GATE(config)# access-group OUTSIDEIN in interface outside
ASA-GATE(config)# username VPNUSERNAME password cisco ;username and password defined for VPN connection
2)IPSEC and ISAKMP configuration
ASA-GATE(config)# ip local pool VPNADDRESSPOOL 10.0.0.10-10.0.0.20 ;ip pool for hosts, connected thru RAS VPN
ASA-GATE(config)# tunnel-group VPNGROUP type IPSec_RA ;create tunnel group for RAS connection
ASA-GATE(config)# tunnel-group VPNGROUP general-attributes ;and define its attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL ;merge with IP pool
ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP ipsec-attributes ;and define second phase parameters
ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco
ASA-GATE(config)# crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-sha-hmac ;define IKE second phase parameters
ASA-GATE(config)# crypto dynamic-map DYNAMICMAP 10 set transform-set REMOTEVPNTRSET
ASA-GATE(config)# crypto map CLIENTMAP 20 ipsec-isakmp dynamic DYNAMICMAP
3)Applying Crypto map and access list to interface
Run Terminal and then generate ICMP traffic using ping syntax.
PC1#ping 10.0.0.100
Picture shows result of this command.
F2b) on Windows based PC
browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.
PC1#ping 10.0.0.100
Picture shows result of this command.
F3) Initialize tunnel
F3a) on Unix – text vpn client
PC1#vpnc ;run text vpn
- instert gateway - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco
- insert username and password according to your defined group policy -> VPNUSERNAME/cisco
Picture shows result on PC.
Picture shows ifconfig tun0 command result.
F3b) on Windows – GUI Cisco VPN client
PC1#run cisco VPN client from shortcut
- connection entries -> new -> fill in:
- name -> TEST
- description -> where it creates tunnel
- host - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco (password and confirm password)
- go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.
Picture shows configuration window and main window on windows client.
Picture shows result of tunnel initialisation on ASA.
ASA-GATE(config)#show vpn-sessiondb remote
Picture shows result of tunnel sessions on ASA.
F4) generate test connection
F4a) on Unix – text web browser
PC1#lynx ftp://10.0.0.100 ;connect via ftp to the server
PC1#lynx http://10.0.0.100 ;connect via http to the server - will work with enabled Java only
PC1#ping 10.0.0.100 ;ICMP test
Picture shows result on PC.
F4b) on Windows – graphic web browser
Open web browser and insert following text to address bar
http://10.0.0.100 ;establish http connection to the server
ftp://10.0.0.100 ;establish ftp connection to the server
Picture shows result on PC.
Open command line and ftp, then follow result picture for command line refference
ftp ;command line to start ftp connection
Picture shows result on PC (ftp).
F5) Delete tunnel and reinitialize new one
ASA-GATE(config)#clear crypto isakmp sa
ASA-GATE(config)#clear crypto ipsec sa
Picture shows result on ASA.
F5a) on Unix based PC – text
PC1#pkill vpnc ;kill vpnc process
F5b) on Windows based PC
Open VPN client and press disconnect button.
Optional tasks
Try to configure different policies and VPN groups
ASA-GATE(config)# ip local pool VPNADDRESSPOOL2 10.0.0.21-10.0.0.30 ;ip pool for hosts, connected thru RAS VPN group 2
ASA-GATE(config)# tunnel-group VPNGROUP2 type IPSec_RA ;another tunnel group for optional task
ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes
ASA-GATE(config-tunnel-general)# address-pool VPNADDRESSPOOL2
ASA-GATE(config-tunnel-general)# tunnel-group VPNGROUP2 ipsec-attributes
ASA-GATE(config-tunnel-ipsec)# pre-shared-key cisco2
ASA-GATE(config)# group-policy TUNNELPOLICYADDED internal ;create internal policy
ASA-GATE(config)# group-policy TUNNELPOLICYADDED attributes ;and define its attributes
ASA-GATE(config-group-policy)# wins-server value 10.0.0.200 ;WINS server IP address
ASA-GATE(config-group-policy)# dns-server value 10.0.0.201 ;DNS server IP address
ASA-GATE(config-group-policy)# default-domain value testdomain.vsb ;domain name
ASA-GATE(config)# tunnel-group VPNGROUP2 general-attributes ;connect policy with tunnel group
ASA-GATE(config-tunnel-general)# default-group-policy TUNNELPOLICYADDED ;policy name is specified here
To test this task connect to VPNGROUP2 and use ipconfig -all on windows. It will show also DNS server and WINS server records for tunnel interface.
In linux browse for file resolve.conf. It will show DNS server record.
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul6 6.4.2 ASA task definition
RAS VPN using HW client (network and client modes)+ pre-shared keys on ASA
Goal
Remote access VPN tunnel will be established on ASA 5505 using pre-shared key.
Router3 will only pass traffic to site routers. It simulates internet.
Only traffic from LAN 1 and LAN 2 will be encrypted.
Use OSPF routing protocol and static routes.
a/ client will be set in client mode (NAT).
b/ client will be set in network-extension mode.
Do not forget that this task will work only on ASA 5505 – ASA 5510 and higher cannot work as EzVPN clients.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
PC1>ping 10.0.0.100 ;inicialize tunnel by pinging remote host
F4)Test initialized tunnel
Check if client has address leased from pool and if ipsec is active.
EZServer#sh ip local pool VPNADDRESSPOOL
EZClient#sh nat
EZClient#sh crypto isakmp sa
Show crypto ipsec statistics.
Ezserver#sh crypto ipsec sa
F5)delete tunnel and then repeat steps F3) to initialize tunnel again
First delete tunnel on client
EZClient(config-if)#shutdown ;shutdown outside interface
EZClient#clear crypto ipsec sa
EZClient#clear crypto isakmp sa
EZServer#clear crypto ipsec sa
EZServer#clear crypto isakmp sa
EZServer#clear crypto session
Optional tasks
Create access list on Router3 which permits only needed traffic.
Add one more router to topology and create another tunnel to this router.
EZServer(config-router)#aaa new-model ;define aaa authentication model
EZServer(config)#aaa authentication login VPNLIST local ;define local database for authentication
EZServer(config)#aaa authorization network VPNLIST local ;define local database for authorisation
EZServer(config)#username EZVPNUSER password cisco ;define username and password
3)EzVPN server configuration
EZServer(config)#ip local pool EZVPNPOOL 10.0.0.10 10.0.0.20 ;local pool for ezvpn client computers
EZServer(config)#crypto isakmp policy 10 ;first phase policy definition
EZServer(config-isakmp)#encryption 3des
EZServer(config-isakmp)#authentication pre-share
EZServer(config-isakmp)#group 2
EZServer(config)#crypto isakmp keepalive 10 10 ;tunnel keepalive setting
EZServer(config)#crypto isakmp client configuration group EZVPNGROUP ;client configuration group - this settings will be pushed to client
EZServer(config-isakmp-group)#key EZVPNKLIC ;this key must be configured also in client appliance
EZServer(config-isakmp-group)#pool EZVPNPOOL ;connect with named pool
EZServer(config-isakmp-group)#save-password ;this option must be present for client auto-connect mode
EZServer(config)#crypto ipsec transform-set EZVPNTRSET esp-3des esp-sha-hmac ;define transform set
EZServer(config)#crypto dynamic-map DYNAMIC 1 ;define dynamic crypto map
EZServer(config-crypto-map)#set transform-set EZVPNTRSET ;define transform set used
EZServer(config-crypto-map)#reverse-route remote-peer 172.16.1.1 ;define reverse route for traffic from peer
EZServer(config)#crypto map EZVPNMAP client authentication list VPNLIST ;connect with aaa settings
EZServer(config)#crypto map EZVPNMAP isakmp authorization list VPNLIST
EZServer(config)#crypto map EZVPNMAP 3 ipsec-isakmp dynamic DYNAMIC ;connect with synamic named crypto map
EZServer(config)#crypto map EZVPNMAP client configuration address respond ;configure to give IP addresss to client
4) applying point 3) to interface
EZServer(config)#interface INT3
EZServer(config-if)#crypto map EZVPNMAP ;apply crypto map to an interface
EZClient(config-router)#crypto ipsec client ezvpn VPN ;configure named ezvpn client
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC ;server group and key definition
EZClient(config-crypto-ezvpn)#local-address INT2 ;include local lan address on selected interface
EZClient(config-crypto-ezvpn)#mode client ;define client mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1 ;set remote peer
EZClient(config-crypto-ezvpn)#connect manual ;set connection to manual
3) applying to interface
EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside ;apply ezvpn inside profile to inside interface
EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside ;apply ezvpn outside profile to outside interface
;new virtual interface will be created to which all inside traffic will be NATted
Now provide function test and continue or part b/ or point 4/ – part a/.
4) configure client for auto connection mode
To let client connect automatically you MUST connect manually first time providing xauth as in function test point F3).
EZClient(config-router)#crypto ipsec client ezvpn VPN
EZClient(config-crypto-ezvpn)#connect auto ;client auto connection setting
During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.
Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive
NS2 – Modul2 6.2.12a IOS task definition
Easy VPN server on Router, SW client
Goal
Configure VPN client and VPN concentrator on IOS router.
Inicialize tunnel.
Generate a test connection thru HTTP, FTP and ICMP.
Do not forget to clear configuration before start.
Required time
2 hours
Theoretical background
Here will be short theoretical background for solving this task.
R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model ;define authentication policy
SERVER(config)#aaa authentication login telnet local ;authenticate locally
SERVER(config)#username cisco password cisco ;authenticate by this username and password
SERVER(config)#enable password cisco ;set enable password for privileged mode
SERVER(config)#ip http server ;enable HTTP server
SERVER(config)#ftp-server enable ;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/ ;set top directory for FTP server
SERVER(config)#line vty 0 4 ;enable tenlnet connections
Router
1) Interface settings, Access lists, group policy
R18@ostrava(config)#hostname GATE
GATE(config)#interface INT1
GATE(config-if)#ip address 192.168.0.1 255.255.255.0
GATE(config-if)#no shutdown
GATE(config)#interface INT2
GATE(config-if)#ip address 10.0.0.1 255.255.255.0
GATE(config-if)#no shutdown
GATE(config)#access-list 101 permit ip any host 192.168.0.1 ;permit traffic only to interface on which tunnel will communicate
GATE(config)#aaa new-model ;enable local policy lookup
GATE(config)#aaa authentication login VPNAUTHEN local ;enable local user authentication
GATE(config)#aaa authorization network VPNAUTHOR local ;set aaa authorisation at login
GATE(config)#username USERNAME password cisco ;we will use this credentials to secure tunnel connection
2)IPSEC and ISAKMP configuration
GATE(config)#ip local pool VPNADDRESSPOOL 10.0.0.10 10.0.0.20 ;connected client will get address from this pool
GATE(config)#crypto isakmp policy 10 ;IKE first phase security parameters definition starts here
GATE(config-isakmp)#encryption 3des
GATE(config-isakmp)#hash sha
GATE(config-isakmp)#authentication pre-share
GATE(config-isakmp)#group 2
GATE(config)#crypto isakmp client configuration group VPNGROUP ;specify that we create policy for RAS
GATE(config-isakmp-group)#key VPNKLIC ;and pre-shared key for this policy
GATE(config-isakmp-group)#pool VPNADDRESSPOOL ;local pool
GATE(config-isakmp-group)#domain test ;and domain name specification
GATE(config)#crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-md5-hmac ;specify transform set for RAS connection
GATE(config)#crypto dynamic-map DYNAMICMAP 10 ;create dynamic crypto map
GATE(config-crypto-map)#set transform-set REMOTEVPNTRSET
GATE(config-crypto-map)#reverse-route ;enable reverse routing for RAS connection
GATE(config)#crypto map CLIENTMAP client configuration address respond ;define behavior of client ip address resloving
GATE(config)#crypto map CLIENTMAP isakmp authorization list VPNAUTHOR ;group policy authorization def.
GATE(config)#crypto map CLIENTMAP client authentication list VPNAUTHEN ;group policy authentication def.
GATE(config)#crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNAMICMAP ;assign dynamic crypto map to static
3)Applying Crypto map and access list to interface
GATE(config)#interface INT1
GATE(config-if)#crypto map CLIENTMAP ;apply static crypto map to interface
GATE(config-if)#ip access-group 101 in ;apply access list to interface
Run Terminal and then generate ICMP traffic using ping syntax.
PC1#ping 10.0.0.100
Picture shows result of this command.
F2b) on Windows based PC
browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.
PC1#ping 10.0.0.100
Picture shows result of this command.
F3) Initialize tunnel
F3a) on Unix – text vpn client
PC1#vpnc ;run text vpn
- instert gateway - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco
- insert username and password according to your defined group policy -> VPNUSERNAME/cisco
Picture shows result on PC.
Picture shows ifconfig tun0 command result.
F3b) on Windows – GUI Cisco VPN client
PC1#run cisco VPN client from shortcut
- connection entries -> new -> fill in:
- name -> TEST
- description -> where it creates tunnel
- host - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco (password and confirm password)
- go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.
Picture shows configuration window and main window on windows client.
Picture shows result of tunnel initialisation on Router.
GATE(config)#show vpn-sessiondb remote
Picture shows result of tunnel sessions on Router.
F4) generate test connection
F4a) on Unix – text web browser
PC1#lynx ftp://10.0.0.100 ;connect via ftp to the server
PC1#lynx http://10.0.0.100 ;connect via http to the server - will work with enabled Java only
PC1#ping 10.0.0.100 ;ICMP test
Picture shows result on PC.
F4b) on Windows – graphic web browser
Open web browser and insert following text to address bar
http://10.0.0.100 ;establish http connection to the server
ftp://10.0.0.100 ;establish ftp connection to the server
Picture shows result on PC (http).
Open command line and ftp, then follow result picture for command line refference
