WMI query through ASA Firewall
I'm a newbie - please be patient
We have an ASA firewall that has several DMZ VLANs.
A support company that responsible for the SQL Servers wants to use WMI to query server health.
Their monitoring server currently on the internal lan, eight SQL servers on the internal lan and six of the SQL Servers are in the DMZ.
Two of the SQL Servers in the DMZ are 2003x32 Standard Edition and four are 2008R2x64 Enterprise Edition
The question is the ports that need to be open for Windows 2003 is concerningly large tcp/1025-65535, tcp/135
What are everyone’s thoughts on opening up such a large range?
Is there a better way of doing this – unfortunately getting the monitoring software rewritten is not an option and nor is going Linux
Thanks
PS - if this has already been asked can someone point me to the discussions
Hi
I would say that that is a No No
But that depends on the environment, for some (most) i woulds say its not ok, but some might feel that they do not need that much security.
WMI is a bit tough on firewalls.
But there are ways to limit the ports used by WMI
fx you can set it to use Fixed ports. and so on.
Sure it makes the server guys a little less happy since it does not work from the start and they have to make some changes but the added security is well worth the fight.
Here is a link to solarwinds for people with the same problem.and an answer that seems to work
(i have not tested this) from ASH J Kent. (almost at the bottom)
http://thwack.solarwinds.com/forums/68/application--server-management/21/server--application-monitor/16415/wmi-monitoring-through-firewal/
Here is one from MSDN
http://msdn.microsoft.com/en-us/library/windows/desktop/bb219447(v=vs.85).aspx
Good luck
HTH
Similar Messages
-
How can we allow internal users to access internet through ASA firewall?
Hello,
I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
does switch 2 port needs internet access through router?
what configuration required on ASA to allow users behind the firewall to access internet?
any help on this would be much appreciated.
thanks,Hi,
Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
Just try something like this:-
ping 4.2.2.2 .. Does this work ?
If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
Thanks and Regards,
Vibhor Amrodia -
Cisco Call manager 7.2 through ASA firewall
Hi,
We have a part of our building that we have sold to another company. We still have to provide them with some resources until they can install their own network. We have a 6500 switch there and we are going to implement a ASA in between and lock down most communication. One of the resources required are Cisco IP phones.
Does anyone know which ports etc are required to be opened to allow communication between these phones and Call manager and other IP phones on the site?
Any help would be appreciatedHi Andrew
The attached document may assist:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
Hope this helps.
Barry Hesk
Intrinsic Network Solutions -
NTP server unreachable through ASA firewall
Hi all,
I've configured a DMZ switch to point to an NTP server on on the Inside, but I get a debug message on the switch that says:
NTP: <NTP server IP address> unreachable
I'm confident that the NTP server is configured properly, as there are more than a dozen other hosts using it, successfully. The difficulty here is that the NTP packets are having to flow from the DMZ to the Inside. I have a rule set on the firewall that permits the IP address of the switch to connect to the IP address of the NTP server as follows:
access-list intdmz1_acl extended permit udp host <IP address of switch> host <IP address of NTP server> eq ntp
I can see the hit counter on this rule incrementing.
The firewall can ping the NTP server, and the NTP server can ping the switch, so I think routing is OK.
Output from the DMZ switch:
switch#show ntp associations
address ref clock st when poll reach delay offset disp
~192.168.65.254 0.0.0.0 16 - 64 0 0.0 0.00 16000.
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
switch#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
PRNLN-DMZ-SW01#sh run | inc ntp
ntp source Vlan138
ntp server 192.168.65.254
ukhvdc00vs01#sh run | inc ntp
ntp source Vlan65
ntp master 3
ntp update-calendar
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
PRNLN-DMZ-SW01#show ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 0.00 msec, peer dispersion is 0.00 msec
Does the firewall rule need to permit more than UDP/123 for this to work perhaps?
NTPconfig on DMZ switch:
switch#sh run | inc ntp
ntp source Vlan138
ntp server <IP address of NTP server>
===================
NTP config on NTP server:
NTP_Server#sh run | inc ntp
ntp source Vlan65
ntp master 3
ntp update-calendar
ntp server 0.uk.pool.ntp.org
ntp server 1.uk.pool.ntp.org
Any guidance welcomed.
Thank you,
OllyHi Julio,
Hi Julio,
For the purposes of this information:
DMZ switch IP = 5.6.7.8
NTP server IP = 10.1.1.1
Here's the output from the show commands:
ciscoasa# show capture NTPCAPTUREDMZ
11 packets captured
1: 16:22:05.271500 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2: 16:23:09.276185 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
3: 16:24:13.274033 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
4: 16:24:57.272813 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
5: 16:24:58.279480 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
6: 16:24:59.277817 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
7: 16:25:00.275971 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
8: 16:25:01.275559 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
9: 16:25:02.272599 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
10: 16:25:03.279129 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
11: 16:25:04.277710 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
11 packets shown
ciscoasa# show capture NTPCAPTUREINSIDE
0 packet captured
0 packet shown
ciscoasa# show capture NTPASP | include 10.1.1.1
419: 16:24:13.274171 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
1820: 16:24:57.272904 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
1841: 16:24:58.279587 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
1876: 16:24:59.277909 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
1934: 16:25:00.276062 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2027: 16:25:01.275651 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2068: 16:25:02.272690 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2095: 16:25:03.279221 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2129: 16:25:04.277802 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2200: 16:25:05.275849 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2233: 16:25:06.274094 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2275: 16:25:07.273606 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2327: 16:25:08.280182 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2347: 16:25:09.277222 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2373: 16:25:10.275467 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2399: 16:25:11.273759 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
2414: 16:25:12.273347 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123: udp 48
I'm guessing we should see some packets in the second capture, but we're not...
Does this help?
Thanks!
Olly -
Loop with WMI Query taking too long, need to break out if time exceeds 5 min
I've written a script that will loop through a list of computers and run a WMI query using the Win32_Product class. I am pinging the host first to ensure its online which eliminates wasting time but the issue I'm facing is that some of the machines
are online but the WMI Query takes too long and holds up the script. I wanted to add a timeout to the WMI query so if a particular host will not respond to the query or gets stuck the loop will break out an go to the next computer object. I've added my code
below:
$Computers = @()
$computers += "BES10-BH"
$computers += "AUTSUP-VSUS"
$computers += "AppClus06-BH"
$computers += "Aut01-BH"
$computers += "AutLH-VSUS"
$computers += "AW-MGMT01-VSUS"
$computers += "BAMBOOAGT-VSUS"
## Loop through all computer objects found in $Computes Array
$JavaInfo = @()
FOREACH($Client in $Computers)
## Gather WMI installed Software info from each client queried
Clear-Host
Write-Host "Querying: $Client" -foregroundcolor "yellow"
$HostCount++
$Online = (test-connection -ComputerName ADRAP-VSUS -Count 1 -Quiet)
IF($Online -eq "True")
$ColItem = Get-WmiObject -Class Win32_Product -ComputerName $Client -ErrorAction SilentlyContinue | `
Where {(($_.name -match "Java") -and (!($_.name -match "Auto|Visual")))} | `
Select-Object Name,Version
FOREACH($Item in $ColItem)
## Write Host Name as variable
$HostNm = ($Client).ToUpper()
## Query Named Version of Java, if Java is not installed fill variable as "No Java Installed
$JavaVerName = $Item.name
IF([string]::IsNullOrEmpty($JavaVerName))
{$JavaVerName = "No Installed"}
## Query Version of Java, if Java is not installed fill variable as "No Java Installed
$JavaVer = $Item.Version
IF([string]::IsNullOrEmpty($JavaVer))
{$JavaVer = "Not Installed"}
## Create new object to organize Host,JavaName & Version
$JavaProp = New-Object -TypeName PSObject -Property @{
"HostName" = $HostNm
"JavaVerName" = $JavaVerName
"JavaVer" = $JavaVer
## Add new object data "JavaProp" from loop into array "JavaInfo"
$JavaInfo += $JavaProp
Else
{Write-Host "$Client didn't respond, Skipping..." -foregroundcolor "Red"}Let me give you a bigger picture of the script. I've included the emailed table the script produces and the actual script. While running the script certain hosts get hung up when running the WMI query which causes the script to never complete. From one of
the posts I was able to use the Get-WmiCustom function to add a timeout 0f 15 seconds and then the script will continue if it is stuck. The problem is when a host is skipped I am not aware of it because my script is not reporting the server that timed out.
If you look at ZLBH02-VSUS highlighted in the report you can see that its reporting not installed when it should say something to the effect query hung.
How can I add a variable in the function that will be available outside the function that I can key off of to differentiate between a host that does not have the software installed and one that failed to query?
Script Output:
Script:
## Name: JavaReportWMI.ps1 ##
## Requires: Power Shell 2.0 ##
## Created: January 06, 2015 ##
<##> $Version = "Script Version: 1.0" <##>
<##> $LastUpdate = "Updated: January 06, 2015" <##>
## Configure Compliant Java Versions Below ##
<##> $java6 = "6.0.430" <##>
<##> $javaSEDEVKit6 = "1.6.0.430" <##>
<##> $java7 = "7.0.710" <##>
<##> $javaSEDEVKit7 = "1.7.0.710" <##>
<##> $java8 = "8.0.250" <##>
<##> $javaSEDDEVKit8 = "1.8.0.250" <##>
## Import Active Directory Module
Import-Module ActiveDirectory
$Timeout = "False"
Function Get-WmiCustom([string]$computername,[string]$namespace,[string]$class,[int]$timeout=15)
$ConnectionOptions = new-object System.Management.ConnectionOptions
$EnumerationOptions = new-object System.Management.EnumerationOptions
$timeoutseconds = new-timespan -seconds $timeout
$EnumerationOptions.set_timeout($timeoutseconds)
$assembledpath = "\\" + $computername + "\" + $namespace
#write-host $assembledpath -foregroundcolor yellow
$Scope = new-object System.Management.ManagementScope $assembledpath, $ConnectionOptions
$Scope.Connect()
$querystring = "SELECT * FROM " + $class
#write-host $querystring
$query = new-object System.Management.ObjectQuery $querystring
$searcher = new-object System.Management.ManagementObjectSearcher
$searcher.set_options($EnumerationOptions)
$searcher.Query = $querystring
$searcher.Scope = $Scope
trap { $_ } $result = $searcher.get()
return $result
## Log time for duration clock
$Start = Get-Date
$StartTime = "StartTime: " + $Start.ToShortTimeString()
## Environmental Variables
$QueryMode = $Args #parameter for either "Desktops" / "Servers"
$CsvPath = "C:\Scripts\JavaReport\JavaReport" + "$QueryMode" + ".csv"
$Date = Get-Date
$Domain = $env:UserDomain
$HostName = ($env:ComputerName).ToLower()
## Regional Settings
## Used for testing
IF ($Domain -eq "abc") {$Region = "US"; $SMTPDomain = "abc.com"; `
$ToAddress = "[email protected]"; `
$ReplyDomain = "abc.com"; $smtpServer = "relay.abc.com"}
## Control Variables
$FromAddress = "JavaReport@$Hostname.na.$SMTPDomain"
$EmailSubject = "Java Report - $Region"
$computers = @()
$computers += "ZLBH02-VSUS"
$computers += "AUTSUP-VSUS"
$computers += "AppClus06-BH"
$computers += "Aut01-BH"
$computers += "AutLH-VSUS"
$computers += "AW-MGMT01-VSUS"
$computers += "BAMBOOAGT-VSUS"
#>
## Loop through all computer objects found in $Computes Array
$JavaInfo = @()
FOREACH($Client in $Computers)
## Gather WMI installed Software info from each client queried
Clear-Host
Write-Host "Querying: $Client" -foregroundcolor "yellow"
$HostCount++
$Online = (test-connection -ComputerName ADRAP-VSUS -Count 1 -Quiet)
IF($Online -eq "True")
$ColItem = Get-WmiCustom -Class Win32_Product -Namespace "root\cimv2" -ComputerName $Client -ErrorAction SilentlyContinue | `
Where {(($_.name -match "Java") -and (!($_.name -match "Auto|Visual")))} | `
Select-Object Name,Version
FOREACH($Item in $ColItem)
## Write Host Name as variable
$HostNm = ($Client).ToUpper()
## Query Named Version of Java, if Java is not installed fill variable as "No Java Installed
$JavaVerName = $Item.name
IF([string]::IsNullOrEmpty($JavaVerName))
{$JavaVerName = "No Installed"}
## Query Version of Java, if Java is not installed fill variable as "No Java Installed
$JavaVer = $Item.Version
IF([string]::IsNullOrEmpty($JavaVer))
{$JavaVer = "Not Installed"}
## Create new object to organize Host,JavaName & Version
$JavaProp = New-Object -TypeName PSObject -Property @{
"HostName" = $HostNm
"JavaVerName" = $JavaVerName
"JavaVer" = $JavaVer
## Add new object data "JavaProp" from loop into array "JavaInfo"
$JavaInfo += $JavaProp
Else
{Write-Host "$Client didn't respond, Skipping..." -foregroundcolor "Red"}
#Write-Host "Host Query Count: $LoopCount" -foregroundcolor "yellow"
## Sort Array
Write-Host "Starting Array" -foregroundcolor "yellow"
$JavaInfoSorted = $JavaInfo | Sort-object HostName
Write-Host "Starting Export CSV" -foregroundcolor "yellow"
## Export CSV file
$JavaInfoSorted | export-csv -NoType $CsvPath -Force
$Att = new-object Net.Mail.Attachment($CsvPath)
Write-Host "Building Table Header" -foregroundcolor "yellow"
## Table Header
$list = "<table border=1><font size=1.5 face=verdana color=black>"
$list += "<tr><th><b>Host Name</b></th><th><b>Java Ver Name</b></th><th><b>Ver Number</b></th></tr>"
Write-Host "Building HTML Table" -foregroundcolor "yellow"
FOREACH($Item in $JavaInfoSorted)
Write-Host "$UniqueHost" -foregroundcolor "Yellow"
## Alternate Table Shading between Green and White
IF($LoopCount++ % 2 -eq 0)
{$BK = "bgcolor='E5F5D7'"}
ELSE
{$BK = "bgcolor='FFFFFF'"}
## Set Variables
$JVer = $Item.JavaVer
$Jname = $Item.JavaVerName
## Change Non-Compliant Java Versions to red in table
IF((($jVer -like "6.0*") -and (!($jVer -match $java6))) -or `
(($jName -like "*Java(TM) SE Development Kit 6*") -and (!($jName -match $javaSEDEVKit6))) -or `
(($jVer -like "7.0*") -and (!($jVer -match $java7))) -or `
(($jName -like "*Java SE Development Kit 7*") -and (!($jName -match $javaSEDEVKit7))))
$list += "<tr $BK style='color: #ff0000'>"
## Compliant Java version are displayed in black
ELSE
$list += "<tr $BK style='color: #000000'>"
## Populate table with host name variable
$list += "<td>" + $Item."HostName" + "</td>"
## Populate table with Java Version Name variable
$list += "<td>" + $Item."JavaVerName" + "</td>"
## Populate table with Java Versionvariable
$list += "<td>" + $Item."JavaVer" + "</td>"
$list += "</tr>"
$list += "</table></font>"
$End = Get-Date
$EndTime = "EndTime: " + $End.ToShortTimeString()
#$TimeDiff = New-TimeSpan -Start $StartTime -End $EndTime
$StartTime
$EndTime
$TimeDiff
Write-Host "Total Hosts:$HostCount"
## Email Function
Function SendEmail
$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.From = ($FromAddress)
$msg.ReplyTo =($ToAddress)
$msg.To.Add($ToAddress)
#$msg.BCC.Add($BCCAddress)
$msg.Attachments.Add($Att)
$msg.Subject = ($EmailSubject)
$msg.Body = $Body
$msg.IsBodyHTML = $true
$smtp.Send($msg)
$msg.Dispose()
## Email Body
$Body = $Body + @"
<html><body><font face="verdana" size="2.5" color="black">
<p><b>Java Report - $Region</b></p>
<p>$list</p>
</html></body></font>
<html><body><font face="verdana" size="1.0" color="red">
<p><b> Note: Items in red do not have the latest version of Java installed. Please open a ticket to have an engineer address the issue.</b></p>
</html></body></font>
<html><body><font face="verdana" size="2.5" color="black">
<p>
$StartTime<br>
$EndTime<br>
$TimeDiff<br>
$HostCount<br>
</p>
<p>
Run date: $Date<br>
$Version<br>
$LastUpdate<br>
</p>
</html></body></font>
## Send Email
SendEmail -
Hi Expert.
How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?
What is the configuration required on ASA 5540 ?
ThanksHi Samir,
By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.
If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.
Access-list DMZ permit tcp host host eq 80
Access-list DMZ deny ip any any
access-group DMZ in interface DMZ
Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)
WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.
Mike -
Endpoint on DMZ interface (through the firewall)
Hi
I have an ASA which connects to a BT Inifinty router. The address on the outside interface is dynamic. BT provide us with 5 static addresses (No NAT 5) which are routed to the outside interface but are a different subnet.
I would like to terminate the site to site VPN using one of the static IP addresses rather than the outside dynamic address.
Can I NAT the public static address to the DMZ interface (or any interface for that matter) and terminate the VPN on that interface i.e. the firewall is terminated through the firewall?
Thanks
Stuart
Update: A few people have looked but no answer. Is there some detail I need to add?Matheus.Omega.Mendes wrote:
Well one solution that they found was implements one hollow interface called InterfaceWeb, just to mark the classes that works on web and desktop, although our system isn't perfectly object oriented, this solution was the worst that I ever seen. At least I think this way and I'd like to know if someone agree, disagree or have some explication for this choose.Hard to say without actually seeing it. Probably not a good idea.
Presumably the design was driven by time to market and cost rather than just because the developers didn't want to refactor.
As per the other suggestion, normally besides breaking the layers out you could share common functionality with a layer of its own (or several) -
WMI Query to retrieve only active IPv4 address
My turn to ask a question. I am running BGInfo for all workstations but at this stage want to only return the Active IPv4 address. I have a custom WMI query set up in BGInfo:
SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True'
This will return both IPv4 and v6 addresses. Without disabling IPv6 on my client workstations, is there a way I can get the query to return only the IPv4 address? Or should I instead create a custom vbscript in BGInfo to get the v4 address.
Cheers
JeremyYou'd need to nose through the results and reject any IPv6 addresses.
This sample assumes IPv6 addresses always contain a ":" in the
string...
strMsg = ""
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer &
"\root\cimv2")
Set IPConfigSet = objWMIService.ExecQuery _
("Select IPAddress from Win32_NetworkAdapterConfiguration WHERE
IPEnabled = 'True'")
For Each IPConfig in IPConfigSet
If Not IsNull(IPConfig.IPAddress) Then
For i = LBound(IPConfig.IPAddress) to
UBound(IPConfig.IPAddress)
If Not Instr(IPConfig.IPAddress(i), ":") > 0 Then
strMsg = strMsg & IPConfig.IPAddress(i) & vbcrlf
Next
End If
Next
Wscript.Echo strMsg
HTH
Nomadtales wrote:
>
>
>My turn to ask a question. I am running BGInfo for all workstations but at this stage want to only return the Active IPv4 address. I have a custom WMI query set up in BGInfo:
>
>
>SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True'
>
>
>
>
>This will return both IPv4 and v6 addresses. Without disabling IPv6 on my client workstations, is there a way I can get the query to return only the IPv4 address? Or should I instead create a custom vbscript in BGInfo to get the v4 address.
>
>
>
>Cheers
>
>
>
>Jeremy
Ha®®y -
WMI Query to find the host of a VM ?
Is it possible to find through WMI on which virtual host a specific virtual machine runs? I am aware that there is a PowerShell solution. I am specifically interested in a WMI Query.
TIA
Alex2 one-liners:
$ComputerName = 'MyVMName'
# Remote Reqistry
([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$ComputerName)).OpenSubKey('SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters').GetValue('PhysicalHostName')
# WMI
(([WMIClass]"\\$ComputerName\ROOT\DEFAULT:StdRegProv").GetStringValue(2147483650,'SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters','PhysicalHostName')).sValue -
Cisco 8851 phones registering through Checkpoint firewall
We have a customer with a secured network, using Checkpoint firewalls and have a VPN site-to-site tunnel between our Cisco ASA and their Checkpoint firewall, with Cisco phones on the far side of the tunnel and CallManager 8.6 behind the ASAs. We have all the proper network ports referenced, but cannot get either a new Cisco 8851 (SIP) or a Cisco 7942 phone to register. The 8851 phone, when it tries to register, uses the 6970 port for distributed TFTP via HTTP first (by design), followed by TFTP/69. The 7900 phone never generates TFTP on port 69 at all. What is also strange is that the source port 5060 on the 8851 phone seems to be masked with an upper ephemeral network port (51566) when the request traverses the network, regardless of it passing through the firewall or a router. I know that TFTP uses UDP, but there is nothing in the docs that state it uses these upper port ranges?
Is this behavior normal for a Cisco SIP-based phone, and with the Skinny phone, is there something with Checkpoint firewalls that causes issues with Cisco VOIP phones. I have done key-word searches on the Forum for this issue, but have not found anything significant. I have also looked at the Nokia support forum, and saw some briefs, but it didn't directly describe our issue. Any help would b e greatly appreciated.
Thanks,Hi Andrew
The attached document may assist:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
Hope this helps.
Barry Hesk
Intrinsic Network Solutions -
Remote access vpn going through another firewall segment
Hi,
Can i know that when use remote access vpn connect to asa firewall inside interface, after that the remote access vpn is it can connect to another firewall segment , the firewall segment is behind the inside interface?Hello Sam,
As long as you include that traffic into the crypto acl and also on the NO_NAT configuration the answer would be yes. That is possible
Regards,
Julio -
Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
Feb 16 2011 15:12:57 725002 85.132.43.67 52684 Device completed SSL handshake with client vpn:85.132.*.*/52684
Feb 16 2011 15:17:26 725007 85.132.43.67 52745 SSL session with client vpn:85.132.*.*/52745 terminated.
What does it mean? How can I turn on debugging to see what is going on?
Thank you in advance!Hi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
SCCM 2012 R2 CU2 Can't Edit WMI Query Code in Report Builder
I first posted this in the SCCM but the issue is not solved so I thought I'd try here in the SQL Reporting forum. Original thread here: http://social.technet.microsoft.com/Forums/en-US/b0a6ca3d-7471-4b49-8447-7403a65c2ec0/sccm-2012-r2-cu2-cant-edit-wmi-query-code-in-sccm-reports?forum=configmanagergeneral
I'll repost info here to make this easier.....
I built a new SCCM 2012 R2 CU2 suite on Server 2012 R2. This also uses SQL 2012 SP1 CU6. This suite has 4 servers: site server, two for WSUS and secondary DPs, and SQL. This problem is true for the built in reports and my custom reports. Our SQL guy has
been helping me a lot but we've gotten nowhere. I can run a report. I can open one in edit mode after it prompts me for credentials. It loads Report Builder 3.0. But when I go to a dataset/query, enter credentials, and try to open it, I get a popup that
says "Unable to connect to data source. 'AutoGen_5C6358F2_yayak..." When I click on details it says "The target principal name is incorrect. A connection was succesfully established with the server, but then an error occurred during the login
process. (SSL Provider, error: 0 -The target principal name is incorrect.)" In SQL Reporting Services Config Manager the paths for Web Service URL is
http://ip.ip.ip.ip:80/ReportServer_SC01 and for Report Manager URL:
http://ip.ip.ip.ip:80/Reports_SC01. A domain account is used to login. This happens when you r-click a dataset and select query to edit the code of a dataset, ie, when query designer tries to open up. It happens
in both Admin Console and when using the Report Manager URL within SQL SSRS. All other functions of using edit mode of a report work fine.
Ben JohnsonWYWhen I do that, browse is dimmed out.
But, if I deselect "create a data set" and click "choose an existing dataset in this report..." there is no data connection at the end.
But if I don't use report builder and instead use IE to browse to my ConfigMgr_ABC, I do see the connection at the end: {123...}.
This problem is on a network that is not on the 'net, so it's hard to do screen shots, so I'll reproduce this problem step by step:
I pick a report to edit, it doesn't matter which one.
If I try it in Admin Console, I right-click, Edit the report, it asks me for a login, I login, then I get a popup that says "Cannot continue. The application is improperly formatted. Contact the vendor for assistance. I click the Details button and
get a long set of text but the key part is "Your web browser settings do not allow you to run signed applications." This msg didn't appear before, so something changed, so I will investigate. I think it used to give a SPN error.
If I use IE within report builder and navigate to whatever report, click open, everything works, except, when I click on Dataset0 (the key one I normally need to edit), click query, it prompts me for a login and no matter which one I use, i get a popup that
says "unable to connect to data source 'AutoGen_123...'". If I click details I get "the targe principal name is incorrect. A connection was successfully established with the server, but then an error occurred during the login process. (provider:
SSL Provider 0-The target principal name is incorrect.)
Ben JohnsonWY -
How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.
How To Using Two Different Public IP Address on My DMZ with ASA 5520
Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
Hi everyone out there.
can any one please help me regarding this situation that im looking for a solution
My old range of public ip address are finished, i mean (the 41.x.x.0 range)
So now i still need to have in my DMZ another two servers that will bring some new services.
Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
on Cisco ASA 5520 v8??
How my configuration should look like?
I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
attached is my network diagram for a better understanding
I thank every body in advance
JorgeHi,
So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
Now you have gotten a new public IP address range from the ISP and want to get it into use.
How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
Of the above ways
The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
- Jouni -
ASA firewall wont ping remote site
We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C 172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S 172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C 172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C 172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S 172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S 10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C 10.21.0.0 255.255.255.0 is directly connected, inside
S 10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C 53.138.58.128 255.255.255.128 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
205.232.16.0/32 is subnetted, 1 subnets
S 205.232.16.25 [1/0] via 10.21.0.11
62.0.0.0/32 is subnetted, 1 subnets
S 62.100.0.146 [1/0] via 10.21.0.12
178.78.0.0/32 is subnetted, 1 subnets
S 178.78.147.193 [1/0] via 10.21.0.12
C 192.168.10.0/24 is directly connected, Vlan29
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S 172.16.141.0/24 [1/0] via 10.21.0.11
S 172.16.142.0/23 [1/0] via 10.21.0.11
S 172.16.40.1/32 [1/0] via 10.21.2.12
S 172.16.40.10/32 [1/0] via 10.21.2.12
S 172.16.21.0/24 [1/0] via 10.21.0.11
172.19.0.0/24 is subnetted, 1 subnets
S 172.19.21.0 [1/0] via 10.21.0.11
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.21.0 [1/0] via 10.21.0.12
172.23.0.0/24 is subnetted, 3 subnets
S 172.23.186.0 [1/0] via 10.21.0.6
S 172.23.184.0 [1/0] via 10.21.0.6
S 172.23.181.0 [1/0] via 10.21.0.6
S 172.25.0.0/16 [1/0] via 10.21.0.11
172.24.0.0/24 is subnetted, 3 subnets
C 172.24.181.0 is directly connected, Vlan31
C 172.24.186.0 is directly connected, Vlan32
C 172.24.187.0 is directly connected, Vlan33
S 172.26.0.0/16 [1/0] via 10.21.0.11
172.29.0.0/24 is subnetted, 3 subnets
S 172.29.181.0 [1/0] via 10.21.0.6
S 172.29.184.0 [1/0] via 10.21.0.6
S 172.29.190.0 [1/0] via 10.21.0.6
S 172.28.0.0/16 [1/0] via 10.21.0.11
C 192.168.20.0/24 is directly connected, Vlan30
10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S 10.11.0.0/16 [1/0] via 10.21.0.6
C 10.21.28.0/24 is directly connected, Vlan28
C 10.21.26.0/24 is directly connected, Vlan26
C 10.21.25.0/24 is directly connected, Vlan25
S 10.12.0.0/16 [1/0] via 10.21.0.6
C 10.21.24.0/24 is directly connected, Vlan24
S 10.13.0.0/16 [1/0] via 10.21.0.6
C 10.21.23.0/24 is directly connected, Vlan23
C 10.21.22.0/24 is directly connected, Vlan22
C 10.21.21.0/24 is directly connected, Vlan21
C 10.21.20.0/24 is directly connected, Vlan20
C 10.21.19.0/24 is directly connected, Vlan19
S 10.21.18.0/24 [1/0] via 10.21.0.12
S 10.21.17.0/24 [1/0] via 10.21.0.11
C 10.21.16.0/24 is directly connected, Vlan16
C 10.21.15.0/24 is directly connected, Vlan15
C 10.21.14.0/24 is directly connected, Vlan14
C 10.21.13.0/24 is directly connected, Vlan13
C 10.21.12.0/24 is directly connected, Vlan12
C 10.21.11.0/24 is directly connected, Vlan11
C 10.10.21.1/32 is directly connected, Loopback0
S 10.31.0.0/16 [1/0] via 10.21.0.6
D 10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C 10.21.5.0/24 is directly connected, Vlan5
C 10.21.4.0/24 is directly connected, Vlan4
S 10.22.0.0/16 [1/0] via 10.21.0.11
C 10.21.3.0/24 is directly connected, Vlan3
C 10.21.2.0/24 is directly connected, Vlan2
C 10.23.2.0/24 is directly connected, Vlan900
S 10.22.3.0/24 [1/0] via 10.21.0.11
C 10.21.0.0/24 is directly connected, Vlan1000
S 10.41.0.0/16 [1/0] via 10.21.0.11
S 10.10.41.0/24 [1/0] via 10.21.0.11
S 10.51.0.0/16 [1/0] via 10.21.0.6
C 10.21.252.8/30 is directly connected, Vlan999
62.0.0.0/32 is subnetted, 1 subnets
S 62.138.58.129 [1/0] via 10.21.0.11
S 192.168.2.0/24 [1/0] via 10.21.0.12
S* 0.0.0.0/0 [1/0] via 10.21.0.11We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C 172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S 172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C 172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C 172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S 172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S 10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C 10.21.0.0 255.255.255.0 is directly connected, inside
S 10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C 53.138.58.128 255.255.255.128 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
205.232.16.0/32 is subnetted, 1 subnets
S 205.232.16.25 [1/0] via 10.21.0.11
62.0.0.0/32 is subnetted, 1 subnets
S 62.100.0.146 [1/0] via 10.21.0.12
178.78.0.0/32 is subnetted, 1 subnets
S 178.78.147.193 [1/0] via 10.21.0.12
C 192.168.10.0/24 is directly connected, Vlan29
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S 172.16.141.0/24 [1/0] via 10.21.0.11
S 172.16.142.0/23 [1/0] via 10.21.0.11
S 172.16.40.1/32 [1/0] via 10.21.2.12
S 172.16.40.10/32 [1/0] via 10.21.2.12
S 172.16.21.0/24 [1/0] via 10.21.0.11
172.19.0.0/24 is subnetted, 1 subnets
S 172.19.21.0 [1/0] via 10.21.0.11
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.21.0 [1/0] via 10.21.0.12
172.23.0.0/24 is subnetted, 3 subnets
S 172.23.186.0 [1/0] via 10.21.0.6
S 172.23.184.0 [1/0] via 10.21.0.6
S 172.23.181.0 [1/0] via 10.21.0.6
S 172.25.0.0/16 [1/0] via 10.21.0.11
172.24.0.0/24 is subnetted, 3 subnets
C 172.24.181.0 is directly connected, Vlan31
C 172.24.186.0 is directly connected, Vlan32
C 172.24.187.0 is directly connected, Vlan33
S 172.26.0.0/16 [1/0] via 10.21.0.11
172.29.0.0/24 is subnetted, 3 subnets
S 172.29.181.0 [1/0] via 10.21.0.6
S 172.29.184.0 [1/0] via 10.21.0.6
S 172.29.190.0 [1/0] via 10.21.0.6
S 172.28.0.0/16 [1/0] via 10.21.0.11
C 192.168.20.0/24 is directly connected, Vlan30
10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S 10.11.0.0/16 [1/0] via 10.21.0.6
C 10.21.28.0/24 is directly connected, Vlan28
C 10.21.26.0/24 is directly connected, Vlan26
C 10.21.25.0/24 is directly connected, Vlan25
S 10.12.0.0/16 [1/0] via 10.21.0.6
C 10.21.24.0/24 is directly connected, Vlan24
S 10.13.0.0/16 [1/0] via 10.21.0.6
C 10.21.23.0/24 is directly connected, Vlan23
C 10.21.22.0/24 is directly connected, Vlan22
C 10.21.21.0/24 is directly connected, Vlan21
C 10.21.20.0/24 is directly connected, Vlan20
C 10.21.19.0/24 is directly connected, Vlan19
S 10.21.18.0/24 [1/0] via 10.21.0.12
S 10.21.17.0/24 [1/0] via 10.21.0.11
C 10.21.16.0/24 is directly connected, Vlan16
C 10.21.15.0/24 is directly connected, Vlan15
C 10.21.14.0/24 is directly connected, Vlan14
C 10.21.13.0/24 is directly connected, Vlan13
C 10.21.12.0/24 is directly connected, Vlan12
C 10.21.11.0/24 is directly connected, Vlan11
C 10.10.21.1/32 is directly connected, Loopback0
S 10.31.0.0/16 [1/0] via 10.21.0.6
D 10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C 10.21.5.0/24 is directly connected, Vlan5
C 10.21.4.0/24 is directly connected, Vlan4
S 10.22.0.0/16 [1/0] via 10.21.0.11
C 10.21.3.0/24 is directly connected, Vlan3
C 10.21.2.0/24 is directly connected, Vlan2
C 10.23.2.0/24 is directly connected, Vlan900
S 10.22.3.0/24 [1/0] via 10.21.0.11
C 10.21.0.0/24 is directly connected, Vlan1000
S 10.41.0.0/16 [1/0] via 10.21.0.11
S 10.10.41.0/24 [1/0] via 10.21.0.11
S 10.51.0.0/16 [1/0] via 10.21.0.6
C 10.21.252.8/30 is directly connected, Vlan999
62.0.0.0/32 is subnetted, 1 subnets
S 62.138.58.129 [1/0] via 10.21.0.11
S 192.168.2.0/24 [1/0] via 10.21.0.12
S* 0.0.0.0/0 [1/0] via 10.21.0.11
Maybe you are looking for
-
Issue with Generate Create Script in new ODT 11.1.0.6.10 beta
I've tried this on several tables in my database. I choose Generate Script to ... a file, for a given table it gives me the error message "An error occurred while writing to fil: \nValue was either too large or too smal for an Int32." (It doesn't mat
-
Nuttin works for me in snow leopard
well, now that i have upgraded, pages, numbers, keynote, ical, and a host of other items won"t open...all i get is report sent to apple....like that will help me out now that school is starting and I have to use this coimputer to be somewhat producti
-
The dreaded "The required index.xml file is missing." message...
Using Pages '09 on a 10.6.8 iMac. My file is about 3.6MB in size, have been editing it for a few months now. All of a sudden I get: "JournalManuscriptV12.pages" couldn't be opened. The required index.xml file is missing. So I uncompress the .pages fi
-
What do I need to do when I get this Time Capsule error message: The backup disk image "/Volumes/Scott Steffens' Time Caps/Macintosh.sparsebundle" is already in use.
-
Regarding Business Rule Framework
Hi, Could u please explain the process of Business Rule Framework(BRF) and how to create this Business Rule Framework(BRF) explain with step by step process.