Вы находитесь на странице: 1из 20

25/04/2011

IP Neworking, Security and a bit of fun

IP Neworking, Security and a bit of fun


A blog where we discuss anything and everything regarding neworking, with emphasis on security for now

IPSec Hairpinning
Posted on November 7, 2009 | 3 Comments

Well, no I am not lov e with hairpinning, but come to think of it, this can be a useful feature. For ex ample, y our remote sites are site-site VPNs to y our HQ and y ou are at home, using remote access V PN to access the HQ. It would be nice, if y ou could access the remote sites as well, wouldnt it ? Our scenario or rather mission is such.

IPSEC Hairpinning Topology


We want to create a L2L VPN between ASA and R2 to encry pt traffic between 1 0.0.0.0/24 and 1 36.1 .1 21 .0/24 network. Then we want users to access from R4, our A SA using EZVPN and these users should be allowed to
http://iptechtalk.wordpress.com/ 1/20

25/04/2011

IP Neworking, Security and a bit of fun

send encry pted traffic ov er the already created L2L V PN. Static routes are permitted for this configuration. All dev ices are running RIP v er 2 and hav e full reach-ability to each other. NA T-Control is not enable on ASA . Also, the topology is similar to INE Remote access VPN labs, ex cept, I hav e put R4 in VLAN 1 00 instead of a test PC. We start with configuring a basic L2L VPN between ASA and R2. Configuration: ASA: crypto isakmp policy 1 0 authen pre-share group 2 hash md5 encryption 3des ! crypto isakmp key CISCO address 1 36.1 .23.2 ! crypto ipsec transform T_SET esp-3des esp-md5-hmac ! access-list 1 22 permit ip 1 36.1 .1 21 .0 255.255.255.0 1 0.0.0.0 255.255.255.0 ! crypto map IMAP 5 set transform-set T_SET crypto map IMAP 5 match address 1 22 crypto map IMAP 5 set peer 1 36.1 .23.2 !
http://iptechtalk.wordpress.com/ 2/20

25/04/2011

IP Neworking, Security and a bit of fun

crypto map IMAP interface outside R2: crypto isakmp policy 1 0 authen pre-share group 2 hash md5 encryption 3des ! crypto isakmp key 0 CISCO address 1 36.1 .1 23.1 2 ! crypto ipsec transform T_SET esp-3des esp-md5-hmac ! access-list 1 22 permit ip 1 0.0.0.0 0.0.0.255 1 36.1 .1 21 .0 0.0.0.255 ! crypto map IMAP 5 isakmp-ipsec set transform-set T_SET match address 1 22 set peer 1 36.1 .1 23.1 2 ! int S0/1 crypto map IMAP ! Now to create an EZVPN tunnel, I w ould use the existing transform sets and crypto maps.
http://iptechtalk.wordpress.com/ 3/20

25/04/2011

IP Neworking, Security and a bit of fun

Here is the configuration on ASA , which is our EZVPN serv er ASA: ip local pool LOCA L_POOL 20.0.0.1 -20.0.0.255 ! vpn-addr-assign local ! group-policy EZV PN_POLICY internal group-policy EZV PN_POLICY attributes vpn-tunnel-protocol ipsec address-pools value LOCA L_POOL ! tunnel-group EZV PN type remote-access tunnel-group EZV PN ipsec-attributes pre-shared-key CISCO tunnel-group EZV PN general-attributes default-group-policy EZVPN_POLICY authentication-server-group LOCAL ! crypto dynamic-map D_MAP 1 00 set transform-set T_SET crypto dynamic-map D_MAP 1 00 set reverse-route crypto map IMAP 20 ipsec-isakmp dynamic D_MAP ! router rip

http://iptechtalk.wordpress.com/

4/20

25/04/2011

IP Neworking, Security and a bit of fun

redistribute static ! R4 EZVPN rem ote (Client): crypto ipsec client ezvpn EZVPN group EZV PN key CISCO connect auto mode client peer 1 36.1 .1 23.1 2 int lo0 crypto ipsec client ezvpn EZVPN inside ! int fa0/0 crypto ipsec client ezvpn EZVPN outside ! We test both tunnels For L2L: R2: ping 1 36.1 .1 21 .1 source fa0/0 Sending 5, 1 00-byte ICMP Echos to 1 36.1 .1 21 .1 , timeout is 2 seconds: Packet sent w ith a source address of 1 0.0.0.2 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 48/48/48 ms Rack1 A SA 1 #

http://iptechtalk.wordpress.com/

5/20

25/04/2011

IP Neworking, Security and a bit of fun

sh crypto ipsec sa interface: outside Crypto map tag: IMA P, seq num: 5, local addr: 1 36.1 .1 23.1 2 access-list 1 22 permit ip 1 36.1 .1 21 .0 255.255.255.0 1 0.0.0.0 255.255.255.0 local ident (addr/m ask/prot/port): (136.1.121.0/255.255.255.0/0/0) rem ote ident (addr/m ask/prot/port): (10.0.0.0/255.255.255.0/0/0) current_peer: 1 36.1 .23.2 #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 please pay close attention to IPSEC SA s to understand the difference. Now we bring up EZV PN tunnel and test it Rack1 R4# crypto ipsec client ezvpn xauth Username: test Passw ord: Rack1 R4# Nov 6 09:33:29.201 : % CRY PTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=EZVPN Client_public_addr=1 36.1 .1 00.4 Server_public_addr=1 36.1 .1 23.1 2 A ssigned_client_addr=20.0.0.1 Rack1 R4# Nov 6 09:33:31 .084: % LINK-3-UPDOWN: Interface Loopback1 0000, changed state to up Nov 6 09:33:32.086: % LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1 0000, changed state to up Rack1 R4# Rack1 R1 # sh ip route
http://iptechtalk.wordpress.com/ 6/20

25/04/2011

IP Neworking, Security and a bit of fun

Codes: C connected, S static, R RIP, M mobile, B BGP D EIGRP, EX EIGRP external, O OSPF, IA OSPF inter area N1 OSPF NSSA external type 1 , N2 OSPF NSSA external type 2 E1 OSPF external type 1 , E2 OSPF external type 2 i IS-IS, su IS-IS summary, L1 IS-IS level-1 , L2 IS-IS level-2 ia IS-IS inter area, * candidate default, U per-user static route o ODR, P periodic dow nloaded static route Gatew ay of last resort is not set 1 36.1 .0.0/24 is subnetted, 5 subnets C R R C R 1 36.1 .1 1 .0 is directly connected, FastEthernet0/0.1 1 1 36.1 .23.0 [1 20/2] via 1 36.1 .1 21 .1 2, 00:00:22, FastEthernet0/0.1 21 1 36.1 .1 00.0 [1 20/2] via 1 36.1 .1 21 .1 2, 00:00:22, FastEthernet0/0.1 21 1 36.1 .1 21 .0 is directly connected, FastEthernet0/0.1 21 1 36.1 .1 23.0 [1 20/1 ] via 1 36.1 .1 21 .1 2, 00:00:22, FastEthernet0/0.1 21

20.0.0.0/32 is subnetted, 1 subnets R 20.0.0.1 [120/1] via 136.1.121.12, 00:00:16, FastEthernet0/0.121

1 0.0.0.0/24 is subnetted, 1 subnets R 1 0.0.0.0 [1 20/3] via 1 36.1 .1 21 .1 2, 00:00:23, FastEthernet0/0.1 21

Rack1 R4#ping 1 50.1 .1 .1 source lo0 rep 1 0 Type escape sequence to abort. Sending 1 0, 1 00-byte ICMP Echos to 1 50.1 .1 .1 , timeout is 2 seconds: Packet sent w ith a source address of 1 50.1 .4.4 !!!!!!!!!!
http://iptechtalk.wordpress.com/ 7/20

25/04/2011

IP Neworking, Security and a bit of fun

Success rate is 1 00 percent (1 0/1 0), round-trip min/avg/max = 8/8/1 2 ms All right, both our tunnels are up. Now we will configure Hairpinning and allow EZVPN users through the L2L tunnel.

Hairpininnig Configuration ASA: access-list 1 22 extended permit ip 20.0.0.0 255.255.255.0 1 0.0.0.0 255.255.255.0 (The interesting traffic should also include traffic from 20.0.0.0/24 subnet w hich is the pool w e are assigning to our users) same-security-traffic permit intra-interface (Since both V PNs terminate on outside interface, w e have to use this command to allow traffic to enter and exit through outside interface) R4: ip route 1 0.0.0.0 255.255.255.0 1 36.1 .1 23.1 2 (Because of RIP, R4 has a route towards 1 0.0.0.0/24 through R3 so the traffic w ouldnt traverse the tunnel. By this static route, w e are forcing R4 or our EZVPN client to go through the EZV PN for the 1 0.0.0.0/24 subnet) R2: ip route 20.0.0.0 255.255.255.0 1 36.1 .1 23.1 2 access-list 1 22 permit ip 1 0.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255 (A gain, the proxy A CL to allow traffic from EZVPN to traverse our L2L tunnel) That seems all right. Now lets test it. but before, clear the SA s and bring up the tunnels again. All right, after bringing up the tunnels, here is my IPSEC SA Rack1 A SA 1 # sh crypto ipsec sa | inc local ident|remote ident|encaps|decaps
http://iptechtalk.wordpress.com/ 8/20

25/04/2011

IP Neworking, Security and a bit of fun

local ident (addr/m ask/prot/port): (136.1.121.0/255.255.255.0/0/0) rem ote ident (addr/m ask/prot/port): (10.0.0.0/255.255.255.0/0/0) #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decry pt: 4, #pkts verify: 4 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 local ident (addr/m ask/prot/port): (0.0.0.0/0.0.0.0/0/0) rem ote ident (addr/m ask/prot/port): (20.0.0.1/255.255.255.255/0/0) #pkts encaps: 10, #pkts encry pt: 10, #pkts digest: 10 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify : 10 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 The local ident (0.0.0.0/0.0.0.0/0/0) designates and EZVPN tunnel. Now I will ping 1 0.0.0.0/24 on R4 which will trav erse both tunnels R4: ping 1 0.0.0.2 source lo 0 Type escape sequence to abort. Sending 5, 1 00-byte ICMP Echos to 1 0.0.0.2, timeout is 2 seconds: Packet sent w ith a source address of 1 50.1 .4.4 !!!!! Success rate is 1 00 percent (5/5), round-trip min/avg/max = 52/52/56 ms Rack1 R4# Rack1 R4# ping 1 0.0.0.2 source loopback 0 rep 1 00 Type escape sequence to abort.
http://iptechtalk.wordpress.com/ 9/20

25/04/2011

IP Neworking, Security and a bit of fun

Sending 1 00, 1 00-byte ICMP Echos to 1 0.0.0.2, timeout is 2 seconds: Packet sent w ith a source address of 1 50.1 .4.4 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Rack1 A SA 1 # sh crypto ipsec sa | inc local ident|remote ident|encaps|decaps local ident (addr/m ask/prot/port): (20.0.0.0/255.255.255.0/0/0) rem ote ident (addr/m ask/prot/port): (10.0.0.0/255.255.255.0/0/0) #pkts encaps: 106, #pkts encry pt: 106, #pkts digest: 106 #pkts decaps: 105, #pkts decrypt: 105, #pkts verify : 105 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 local ident (addr/m ask/prot/port): (136.1.121.0/255.255.255.0/0/0) rem ote ident (addr/m ask/prot/port): (10.0.0.0/255.255.255.0/0/0) #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decry pt: 4, #pkts verify: 4 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 local ident (addr/m ask/prot/port): (0.0.0.0/0.0.0.0/0/0) rem ote ident (addr/m ask/prot/port): (20.0.0.1/255.255.255.255/0/0) #pkts encaps: 115, #pkts encry pt: 115, #pkts digest: 115 #pkts decaps: 117, #pkts decry pt: 117, #pkts verify: 117 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: We hav e an SA from 20.0.0.0 1 0.0.0.0 . It is our L2L A SA for our EZV PN traffic. The encaps and decaps and what we ex pected. The second one is our L2L SA between 1 36.1 .1 21 .0-1 0.0.0.0 networks and number of encaps decaps hav e not increased. The third is our EZVPN SA . A nd along with the new L2L A SA, we hav e packets trav ersing this
http://iptechtalk.wordpress.com/ 10/20

25/04/2011

IP Neworking, Security and a bit of fun

connection as well. Which means, our EZV PN users, try ing to access 1 0.0.0.0/24 are also trav ersing L2L tunnel and we hav e achiev ed our objectiv es. Well folks, thats it for IPSEC hairpinning for now. I know I am slow with the posts, but Iv e been study ing for CCIE, remember?:) I hav e done V OL1 INE labs and will be mov ing to V ol2 this week. Also, if y ou stumble onto this article, please leav e a comment. Tell me if y ou think it made any sense, or not? Was the format OK or needs something (More theory , more v erification etc) and I would keep that in mind while writing the nex t tutorial. And if y ou like the format and find the article useful, also drop in a line

Posted in EZVPN, IPSEC V PNS, Site to Site V PN Tagged EZV PN, IPSec Hairpinning, L2LV PN

3 Com m ents

The need for DNS Doctoring on ASA: Methods and Workarounds


Posted on September 4, 2009 | 2 Comments

In a ty pical DNS ex change a client sends a URL or hostname to a DNS serv er in order to determine the IP address of that host. The DNS serv er receiv es the request, looks up the name-to-IP-address mapping for that host, and then prov ides the A-record with the IP address to the client. While this procedure works well in many situations, problems can occur. These problems can occur when the client and the host that the client tries to reach are both on the same of different priv ate network behind NAT, but the DNS serv er used by the client is on another public network. Without DNS doctoring or another solution enabled in this situation, if the client sends a DNS request for the IP address of the Web Serv er it is unable to access the WWW serv er. This is because the client receiv es an A -record that contains the mapped public address of WWW serv er. When the client tries to access this IP address, the security appliance drops the packets because it does not allow packet redirection on the same interface. There are many permutations of this issue and different options to solv e it. Mainly , we can summarize the solution in following three methods 1) 2) Using Alias command for DNS Doctoring or Destination NA T Using Static with DNS Key word for DNS Doctoring.
11/20

http://iptechtalk.wordpress.com/

25/04/2011

IP Neworking, Security and a bit of fun

3)

Using Hairpinning and DNA T instead of DNS Doctoring.

Based on the location of clients and web-serv er we can hav e the following situations. Clients and Web Serv er are both on DMZ while DNS Serv er is a public serv er on the Outside. (DMZ can be changed with inside as the emphasis is client and Web Serv er being behind the same interface) Web Serv er is on DMZ and Clients are on inside. The tutorial will show all possible way s in which the problem can be solv ed based on the clients. Well use the Test Serv er as client in both DMZ and use a router for DNS requests on the inside. We will be using the topology of InternetworkEx pert[i] and though the Lab Workbook 1 has two ex cellent labs on the topic, well go further and include all possible scenarios.

TOPOLOGY:

Well use the test serv er as inside as well as on DMZ zone to simulate clients.

SCENARIO 1: USING THE ALIAS COMMAND FOR DNS DOCTORING AND DNAT:
First, lets describe the difference between the two. DNS Doctoring performs two functions: Translates a public address (the routable or mapped address) in a DNS reply to a priv ate address (the real address) when the DNS client is on a priv ate interface. Translates a priv ate address to a public address when the DNS client is on the public interface. While DNA T or Destination NA T has the following functions

http://iptechtalk.wordpress.com/

12/20

25/04/2011

IP Neworking, Security and a bit of fun

In dnat, the A SA changes the destination IP of an application call from one IP address to another IP address. This process is used when y ou want the actual application call from the internal client to the serv er in a perimeter (dmz) network by its ex ternal IP address. This does not doctor the DNS replies. So for Clients on the DMZ, we would use DNS Doctoring and for Clients on inside, we will use DNA T. Technically the configuration will be same, but its important to understand whats actually happening here.

CONFIGURATION AND EXPLANATION:


As First step, we will not configure the DNS Doctoring and simulate the issue. This will be our basic configuration on ASA .

ASA1: NAT-CONTROL
nat (inside) 1 0 0 nat (dm z) 1 0 0 global (outside) 1 interface static (dm z,outside) 136.1.122.100 10.0.0.100 static (inside,dm z) 136.1.121.0 136.1.121.0 netm ask 255.255.255.0 access-list OUT _IN perm it ip any any access-group OUT _IN in interface outside

R2:
ip dns serv er ip host WWW 136.1.122.100 Now well make the Test Serv er in inside V LA N first and Then in DMZ and Try to reach the WWW serv er after DNS resolution from R2: int fa 0/20 swit acc v lan 120 In IE topology , the Test serv er is connected with SW2F0/20

http://iptechtalk.wordpress.com/

13/20

25/04/2011

IP Neworking, Security and a bit of fun

As y ou can see the DNS serv er is resolv ing the IP to 1 36.1 .1 22.1 00 which the published IP. The problem with this resolution is that A SA will drop the traffic.

R1:
ip dom ain lookup ip nam e-serv er 136.1.122.2 Rack1R1#ping WWW T ranslating WWWdom ain serv er (136.1.122.2) [OK] T ranslating WWWdom ain serv er (136.1.122.2) [OK] T y pe escape sequence to abort. Sending 5, 100-by te ICMP Echos to 136.1.122.100, tim eout is 2 seconds: .. Success rate is 0 percent (0/5) Now well use the DNS Doctoring and DNAT and test again. Well change the test serv er to inside zone and repeat the testing process. alias (dm z) 10.0.0.100 136.1.122.100 255.255.255.255 alias (inside) 10.0.0.100 136.1.122.100 255.255.255.255

http://iptechtalk.wordpress.com/

14/20

25/04/2011

IP Neworking, Security and a bit of fun

sy sopt noprox y arp inside sy sopt noprox y arp dm z Now on R1 : Rack1R1#ping WWW T ranslating WWWdom ain serv er (136.1.122.2) [OK] T y pe escape sequence to abort. Sending 5, 100-by te ICMP Echos to 10.0.0.100, tim eout is 2 seconds: .. Success rate is 0 percent (0/5) As we can see, now the serv er name is resolv ed to DMZ address 1 0.0.0.1 00, for clients on DMZ and inside Zone and there is no need for redirection on outside interface any more. The ping is not allowed because on DMZ interface ICMP is dropped. But DNS resolution is what we want Also on our client

SOME NOTES:

Other Configuration Notes The interface in the alias command needs to be the interface that the clients call from. Y ou can hav e multiple alias commands tied to different interfaces on the same A SA

SCENARIO 2: USING STATIC WITH DNS KEYWORD FOR DNS DOCTORING:


Remov e the prev ious A lias commands.
http://iptechtalk.wordpress.com/ 15/20

25/04/2011

IP Neworking, Security and a bit of fun

Now well use the Static command with DNS key word to solv e the issue. For clients on the DMZ well need this command as we need DNS Doctoring. But remember we used alias for Destination NAT prev iously for clients on inside. In this case, with static command we will not need to do an any thing for clients on the inside as dns key word will take care of that. Because the DNS reply will be changed at the outside interface to 1 0.0.0.1 00, so both clients on inside and DMZ will be able to access the host using the priv ate IP address. Here is the configuration clear configure alias no static (dm z,outside) 136.1.122.100 10.0.0.100 netm ask 255.255.255.255 static (dm z,outside) 136.1.122.100 10.0.0.100 dns netm ask 255.255.255.255 Here is the v erification. Rack1R1#ping WWW T ranslating WWWdom ain serv er (136.1.122.2) [OK] T y pe escape sequence to abort. Sending 5, 100-by te ICMP Echos to 10.0.0.100, tim eout is 2 seconds: .. Success rate is 0 percent (0/5) Rack1R1# And on the client

http://iptechtalk.wordpress.com/

16/20

25/04/2011

IP Neworking, Security and a bit of fun

SCENARIO 3: USING HAIRPINNING AND DNAT INSTEAD OF DNS DOCTORING.


Remember the main raison deter of the alias command is that ASA doesnt allow the packet redirection on same interface. What if we can change this behav ior? This wasnt possible in earlier v ersions (and if y ou ask me, it shouldnt be as its a serious security breach). But Cisco bowing to the demands of customers and in order to match checkpoint allows this feature now. This is called Hairpinning. In our scenario, well do hairpinning for the clients on DMZ and DNAT for the clients on the inside. Here is what Ciscos website say s about Hairpinning Hairpinning is the process by w hich traffic is sent back out the same interface on w hich it arrived. This feature was introduced in security appliance softw are version 7 .0. For versions earlier than 7 .2(1 ), it is required that at least one arm of the hairpinned traffic (inbound or outbound) be encrypted. From 7 .2(1 ) and later, this requirement is no longer in place. Both the traffic inbound and the traffic outbound might be unencrypted w hen you use 7 .2(1 ). Hairpinning, in conjunction w ith a static NA T statement, can be used to achieve the same effect as DNS doctoring. This method does not change the contents of the DNS A -record that is returned from the DNS server to the client. For clients on inside, well simply publish the public address of our WWW serv er by using static command. Here is the configuration. static (dm z,outside) 136.1.122.100 10.0.0.100 netm ask 255.255.255.255 static (inside,dm z) 136.1.121.0 136.1.121.0 netm ask 255.255.255.0 sam e-security -traffic perm it intra-interface (Enables Hairpinning and redirection on interface)
http://iptechtalk.wordpress.com/ 17/20

25/04/2011

IP Neworking, Security and a bit of fun

global (dm z) 1 interface (nat-control is enabled. Traffic going to DMZ must be Natted) static (dm z,dm z) 136.1.122.100 10.0.0.100 static (dm z,inside) 136.1.122.100 10.0.0.100 For T esting: access-list DMZ_IN perm it ip any any access-group DMZ_IN in interface dm z Here is the v erification. Rack1R1#telnet WWW 80 T ranslating WWWdom ain serv er (136.1.122.2) [OK] T ry ing WWW (136.1.122.100, 80) Open HT T P/1.1 400 Bad Request Serv er: Microsoft-IIS/5.0 Date: Fri, 04 Sep 2009 18:43:11 GMT Content-T y pe: tex t/htm l Content-Length: 87 <htm l><head><title>Error</title></head><body >T he param eter is incorrect. </body > </htm l> [Connection to WWW closed by foreign host] As y ou can see, ev en though the DNS resolv es to 136.1.122.100, R1 is able to reach . Sim ilarly for hosts in DMZ

http://iptechtalk.wordpress.com/

18/20

25/04/2011

IP Neworking, Security and a bit of fun

I hope this tutorial is useful of the non-ex istent reader base of this blog J

[i] Copy righted topology -The writer of this blog has obtained permission from Mr.Brian and Mr.Peter to use the topology or diagram as reference. Posted in A SA, DNS Doctoring Tagged ASA , DNAT, DNS Doctoring, Security 2 Com m ents

Introduction
Posted on July 13, 2009 | 1 Comment

http://iptechtalk.wordpress.com/

19/20

25/04/2011

IP Neworking, Security and a bit of fun

Hello I am Barooq, CCIE # 22087 . I kept a blog at http://ccie-chronicles.blogspot.com and also wrote some articles on http://www.cciecandidate.com during my ccie R/s preperation. After a hiatus spanning ov er 8 months, I am back in the game. Prepering for my CCIE security ( The effort has just begun). I shifted from blogspot for two reasons 1 ) I want this blog to be about networking in general, not ccie prep particularly . 2)Lets face it, blogspot sucks:) I will be writing tutorials and general tech talk, predominantly about security related topics (CCIE and general) and will also include my observ ations, whatev er intersting subject I encounter during the prep and at work etc. I am using INE products (Workbooks only ). I hav e alway s heard great things about COD, but ev en after the gracious discount, it was out of my reach. Hopefully , my first tech post will be there somewhre this week:) Peace to all Posted in Uncategorized Tagged General, Introduction 1 Com m ent

Theme: Coraline by Automattic

Blog at WordPress.com.

http://iptechtalk.wordpress.com/

20/20

Вам также может понравиться