ASA 8.4 and Hairpin NAT

I previously posted here about setting up Hairpin NAT on a Cisco ASA running version 8.2, but of course they changed the syntax yet again, so here is an updated version for 8.4. For those unaware, Hairpin NAT is what allows you to access a server by its public IP from inside the network. This is useful if you are not running split DNS or if you have needy users that want to be able to use the same IP wherever they are.

The procedure for this is actually a bit simpler, there are just a few commands required:

Allow the traffic to get turned around:

same-security-traffic permit intra-interface

Add the NAT rule for users without their own static mapping

object network obj_any_hairpin
 subnet 0.0.0.0 0.0.0.0

object network obj_any_hairpin
 nat (inside,inside) dynamic interface

Note that i separated these two blocks as that is how it usually appears in the config. The first block defines the object group, while the second one applies the NAT rule to it. This rule will match for any LAN users that do not have a static 1:1 mapping defined.

Add NAT rules for all static users

object network obj_10.10.10.10
 host 10.10.10.10
object network obj_10.10.10.10_hairpin
 host 10.10.10.10

object network obj_10.10.10.10
 nat (inside,outside) static 1.2.3.4
object network obj_10.10.10.10_hairpin
 nat (inside,inside) static 1.2.3.4

The object groups need to be separate so that you can apply different NAT rules to them. The first object group and the corresponding NAT rule is for the external access coming in, while the second set are the ones that allow the internal to internal traffic.

Setting up a setuid PHP binary

I'm not going to go into it too much, but i assure you i had a very good reason for doing this.

The problem: I needed to run PHP on the command line as root when invoked by a non privileged user. The simple solution is to make a copy of the php binary and them chmod +s it and chown it to root. For most apps, this will just cause it to run as root and everything will be solved. This part is still necessary:

# cd /path/to/my/project
# cp `which php` .
# chown root:root php
# chmod +s php

Unfortunately, when running this, you will find that PHP does not actually think it's running as root, and subsequently you can't run things like shutdown which require root privileges. You can see this by running a script like this:


test.php:

<?php
    echo shell_exec('id');
?>

Command:

# sudo -u www ./php test.php
uid=80(www) gid=80(www) groups=80(www)

Well that didn't work, and the PHP docs and google didn't seem to have anything about PHP dropping privileges. A little more googling and i saw that PHP does have a setuid function, so i decided to give that a try. The function is called posix_setuid() and is allegedly included by default. Well guess what, on my PHP installation it shows the configure string as including --enable-posix=shared which for whatever reason means "i don't want to use this."

So i recompiled PHP with just --enable-posix and the function was now available. At this point, i began getting the desired results when calling the script: test.php:

<?php
posix_setuid(0);
echo shell_exec(`id`);
?>

Command:

# sudo -u www ./php test.php
uid=0(root) gid=80(www) groups=0(root),80(www)

Exchange 2010 Couldn't connect to the source mailbox

So I was working on decomissioning a horribly broken and misconfigured SBS 2011 server today. Part of this was to export all of the mailboxes to PST and import on the new server (don't ask why but the customer had two SBS 2011 servers). When attempting to export a mailbox, i ran into this error:

Couldn't connect to the source mailbox.
    + CategoryInfo          : NotSpecified: (0:Int32) [New-MailboxExportRequest], RemotePermanentException
    + FullyQualifiedErrorId : CA71126,Microsoft.Exchange.Management.RecipientTasks.NewMailboxExportRequest

Well that's fun, so i re-ran the export command with -Verbose and ended up with:

New-MailboxExportRequest : Couldn't connect to the source mailbox. -->
MapiExceptionCallFailed: Unable to make connection to the server. (hr=0x80004005, ec=1249)
Diagnostic context:
    Lid: 59431   EMSMDB.EcDoConnectEx called [length=154]
    Lid: 34855   EMSMDB.EcDoConnectEx returned [ec=0x4E1][length=56][latency=0]
    Lid: 59505   StoreEc: 0x4E1
    Lid: 52465   StoreEc: 0x4E1
    Lid: 60065
    Lid: 33777   StoreEc: 0x4E1
    Lid: 59805
    Lid: 52209   StoreEc: 0x4E1
    Lid: 56583
    Lid: 52487   StoreEc: 0x4E1
    Lid: 19778
    Lid: 27970   StoreEc: 0x4E1
    Lid: 17730
    Lid: 25922   StoreEc: 0x4E1

After a bit of googling i did find someone else with a similar error, but their solution actually worked oppositely for me, so here is what i did to resolve:

Set-CASMailbox jsmith -MAPIBlockOutlookNonCachedMode:$false

After that, the mailbox exported correctly. I can't say for sure why this was blocked in the first place, but this did resolve it.

Drag and drop stops working in Windows 7 and 8

I've been struggling with this problem for a long time, and never really found a solution. Basically (and very randomly) drag and drop would stop working on my workstation. This includes dragging emails in Outlook (2007, 2010, 2013), dragging files in explorer, and even resizing columns in certain folders/views/apps. What threw me the most is that the issue persisted when i upgraded to a new workstation with a fresh OS, and also across Windows 7 and 8. I do have a lot of apps, so it's very possible one of them is to blame. A reboot would always fix it, but that's obviously annoying. Anyways, the fix: Go to explorer, click on a file, and press the escape key. That's it. I have yet to investigate why it works, but it works. The working theory is that somewhere a file is stuck in the drag state, and windows doesn't let you drag additional items. Hitting escape must clear that out and let you do it again.